Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/25/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Continuous Compliance and Effective Audit Preparation for the Cloud

Why audits are a necessary evil, and how they can actually help you improve your brand value.

Unless you spent your childhood with actuarial tables as a best friend, you probably don't like the word "audit." It conjures notions of paperwork and checklists and deadlines, and just a general swirl of annoying action items. What's even worse, is that it suggests the idea that someone suspects you did something wrong, and they're going to watch over you until you can prove you can do it right. It's like an adult version of after-school detention.

For companies that operate in the cloud, audits are used to ensure that companies adhere to rules and commonly accepted best practices. We use cloud security compliance standards to define what these practices are, how enterprises can function with them, and how they can provide a roadmap for better business operations. Standards like NIST 800-53 and NIST 800-171 are required for organizations to do business with the federal government. HIPAA sets the framework for working with privileged and personal health data, and PCI compliance is demanded for organizations doing digital payments. Comply and you can operate at the pleasure of standards organizations. Be out of compliance and your "license" to operate is revoked.

Ideally, an enterprise complies with the requirements of the standards they need/want to adhere to, and then their business functions more securely, more efficiently, and the governing bodies give their everlasting blessing. It would be nice if it were that simple, but that's never how compliance works. New servers are inserted into the IT environment, application updates are deployed, unrelated specs are mandated on top of other specs. With each change to your cloud and its component pieces, your enterprise risks missing something that will likely take it out of compliance. There are hundreds of lines of controls in the NIST 800-53 compliance spreadsheet, and each of those controls has a set of corresponding instructions. If just one of those conditions is not met properly, you're unfortunately out of compliance.

This is clearly a lot to manage, especially when your business needs to remain compliant in the midst of constant business and technology change. To add to your burden, you have to deal with audits that check to see if you’re compliant now, if your processes are optimized to meet compliance standards, and if you've been out of compliance and what, if any, repercussions might have come from that. I've met many auditors, and while generally a pleasant group, they can strike fear into an organization that doesn't fully know what's going on in their cloud infrastructure.

When audited, you will be required to furnish comprehensive reports that detail your compliance and security adherence. Ultimately, the auditor is acting in the interests of the data and the owners of that data. They want to see if that data, or the assets that touch it, have been compromised. There are a lot of records you’ll have to compile and analyze in order to deliver what the auditors request. A Plan of Action and Milestone Template (POAM) will be created which will guide you, under the direction of the auditors, back to a state of compliance.

The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there's also the opportunity cost. Managing compliance distracts a highly skilled part of your IT team from performing more business-critical functions.

Two things need to happen if you truly want to be in control of compliance management and be prepared for audits:

  1. You need a tool that can continuously monitor the entirety of your cloud environment;
  2. You need to automate compliance assessment to determine where there might be failures and risks.

Some solutions will deploy agents within your infrastructure - avoid that because it will just give you more to manage. An agent-less, cloud-native solution will work continuously on your behalf and according to the requirements of compliance standards when your data is in AWS, Azure, or any public cloud. You can then use your time more effectively in creating remediation processes that can also be triggered with a cloud-based monitoring and risk assessment solution.

Audits are necessary and actually help you improve your brand value. When validated to operate under specific standards, they open new business potential for your enterprise and increases your potential audience. The actual work of being audited, however, is a pain in the neck unless you've used a cloud monitoring solution that helps you avoid compliance issues and track all your compliance and security activity. When you've done that, your audits still won't be fun, but they'll be a lot less painless and your organization will avoid unnecessary interruption.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:19:01 PM
Re: ISO 27001
Dr.T: It's also a component referenced in the NIST Cybersecurity Framework at various layers.

The problem, of course, is that so few people know what it actually, er, says...because of its proprietary nature. :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:17:53 PM
Re: Tools
@Dr.T: Interesting. Can you share a bit more about your experience w/ TripWire -- your use cases, etc.?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:38:54 PM
ISO 27001
ISO 27001 is one of the international standards as an information security management system that certifies organizations adhering to proper security rules and commonly accepted best practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:34:36 PM
Re: Tools
"There are a lot of good tools out there" One of them is Tripwire I had experience with, good security intelligence tool.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:33:37 PM
Re: Tools
"Most organizations still operate manually in this regard." Good point. Most of these operations are mainly manual for many companies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:59 PM
Re: Very useful article about Cloud Audit preparation
I agree, it is a good paper providing good information.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:18 PM
Continuous auditing
Continuous compliance requires continuous auditing, that can only be achieved with the proper tools.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/27/2017 | 9:43:59 AM
Tools
There are a lot of good tools out there (if used properly and if their limits are understood) for maintaining compliance with IT/security policies. Relatively few tools, alas, exist for data governance frameworks or global legal compliance frameworks. Most organizations still operate manually in this regard.
TechnologiesHive
100%
0%
TechnologiesHive,
User Rank: Apprentice
8/25/2017 | 11:04:37 AM
Very useful article about Cloud Audit preparation
Thanks for very deatiled post regarding effective audit preparation, was a good read!
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.