Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/25/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Continuous Compliance and Effective Audit Preparation for the Cloud

Why audits are a necessary evil, and how they can actually help you improve your brand value.

Unless you spent your childhood with actuarial tables as a best friend, you probably don't like the word "audit." It conjures notions of paperwork and checklists and deadlines, and just a general swirl of annoying action items. What's even worse, is that it suggests the idea that someone suspects you did something wrong, and they're going to watch over you until you can prove you can do it right. It's like an adult version of after-school detention.

For companies that operate in the cloud, audits are used to ensure that companies adhere to rules and commonly accepted best practices. We use cloud security compliance standards to define what these practices are, how enterprises can function with them, and how they can provide a roadmap for better business operations. Standards like NIST 800-53 and NIST 800-171 are required for organizations to do business with the federal government. HIPAA sets the framework for working with privileged and personal health data, and PCI compliance is demanded for organizations doing digital payments. Comply and you can operate at the pleasure of standards organizations. Be out of compliance and your "license" to operate is revoked.

Ideally, an enterprise complies with the requirements of the standards they need/want to adhere to, and then their business functions more securely, more efficiently, and the governing bodies give their everlasting blessing. It would be nice if it were that simple, but that's never how compliance works. New servers are inserted into the IT environment, application updates are deployed, unrelated specs are mandated on top of other specs. With each change to your cloud and its component pieces, your enterprise risks missing something that will likely take it out of compliance. There are hundreds of lines of controls in the NIST 800-53 compliance spreadsheet, and each of those controls has a set of corresponding instructions. If just one of those conditions is not met properly, you're unfortunately out of compliance.

This is clearly a lot to manage, especially when your business needs to remain compliant in the midst of constant business and technology change. To add to your burden, you have to deal with audits that check to see if you’re compliant now, if your processes are optimized to meet compliance standards, and if you've been out of compliance and what, if any, repercussions might have come from that. I've met many auditors, and while generally a pleasant group, they can strike fear into an organization that doesn't fully know what's going on in their cloud infrastructure.

When audited, you will be required to furnish comprehensive reports that detail your compliance and security adherence. Ultimately, the auditor is acting in the interests of the data and the owners of that data. They want to see if that data, or the assets that touch it, have been compromised. There are a lot of records you’ll have to compile and analyze in order to deliver what the auditors request. A Plan of Action and Milestone Template (POAM) will be created which will guide you, under the direction of the auditors, back to a state of compliance.

The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there's also the opportunity cost. Managing compliance distracts a highly skilled part of your IT team from performing more business-critical functions.

Two things need to happen if you truly want to be in control of compliance management and be prepared for audits:

  1. You need a tool that can continuously monitor the entirety of your cloud environment;
  2. You need to automate compliance assessment to determine where there might be failures and risks.

Some solutions will deploy agents within your infrastructure - avoid that because it will just give you more to manage. An agent-less, cloud-native solution will work continuously on your behalf and according to the requirements of compliance standards when your data is in AWS, Azure, or any public cloud. You can then use your time more effectively in creating remediation processes that can also be triggered with a cloud-based monitoring and risk assessment solution.

Audits are necessary and actually help you improve your brand value. When validated to operate under specific standards, they open new business potential for your enterprise and increases your potential audience. The actual work of being audited, however, is a pain in the neck unless you've used a cloud monitoring solution that helps you avoid compliance issues and track all your compliance and security activity. When you've done that, your audits still won't be fun, but they'll be a lot less painless and your organization will avoid unnecessary interruption.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:19:01 PM
Re: ISO 27001
Dr.T: It's also a component referenced in the NIST Cybersecurity Framework at various layers.

The problem, of course, is that so few people know what it actually, er, says...because of its proprietary nature. :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:17:53 PM
Re: Tools
@Dr.T: Interesting. Can you share a bit more about your experience w/ TripWire -- your use cases, etc.?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:38:54 PM
ISO 27001
ISO 27001 is one of the international standards as an information security management system that certifies organizations adhering to proper security rules and commonly accepted best practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:34:36 PM
Re: Tools
"There are a lot of good tools out there" One of them is Tripwire I had experience with, good security intelligence tool.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:33:37 PM
Re: Tools
"Most organizations still operate manually in this regard." Good point. Most of these operations are mainly manual for many companies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:59 PM
Re: Very useful article about Cloud Audit preparation
I agree, it is a good paper providing good information.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:18 PM
Continuous auditing
Continuous compliance requires continuous auditing, that can only be achieved with the proper tools.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/27/2017 | 9:43:59 AM
Tools
There are a lot of good tools out there (if used properly and if their limits are understood) for maintaining compliance with IT/security policies. Relatively few tools, alas, exist for data governance frameworks or global legal compliance frameworks. Most organizations still operate manually in this regard.
TechnologiesHive
100%
0%
TechnologiesHive,
User Rank: Apprentice
8/25/2017 | 11:04:37 AM
Very useful article about Cloud Audit preparation
Thanks for very deatiled post regarding effective audit preparation, was a good read!
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...