Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/25/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Continuous Compliance and Effective Audit Preparation for the Cloud

Why audits are a necessary evil, and how they can actually help you improve your brand value.

Unless you spent your childhood with actuarial tables as a best friend, you probably don't like the word "audit." It conjures notions of paperwork and checklists and deadlines, and just a general swirl of annoying action items. What's even worse, is that it suggests the idea that someone suspects you did something wrong, and they're going to watch over you until you can prove you can do it right. It's like an adult version of after-school detention.

For companies that operate in the cloud, audits are used to ensure that companies adhere to rules and commonly accepted best practices. We use cloud security compliance standards to define what these practices are, how enterprises can function with them, and how they can provide a roadmap for better business operations. Standards like NIST 800-53 and NIST 800-171 are required for organizations to do business with the federal government. HIPAA sets the framework for working with privileged and personal health data, and PCI compliance is demanded for organizations doing digital payments. Comply and you can operate at the pleasure of standards organizations. Be out of compliance and your "license" to operate is revoked.

Ideally, an enterprise complies with the requirements of the standards they need/want to adhere to, and then their business functions more securely, more efficiently, and the governing bodies give their everlasting blessing. It would be nice if it were that simple, but that's never how compliance works. New servers are inserted into the IT environment, application updates are deployed, unrelated specs are mandated on top of other specs. With each change to your cloud and its component pieces, your enterprise risks missing something that will likely take it out of compliance. There are hundreds of lines of controls in the NIST 800-53 compliance spreadsheet, and each of those controls has a set of corresponding instructions. If just one of those conditions is not met properly, you're unfortunately out of compliance.

This is clearly a lot to manage, especially when your business needs to remain compliant in the midst of constant business and technology change. To add to your burden, you have to deal with audits that check to see if you’re compliant now, if your processes are optimized to meet compliance standards, and if you've been out of compliance and what, if any, repercussions might have come from that. I've met many auditors, and while generally a pleasant group, they can strike fear into an organization that doesn't fully know what's going on in their cloud infrastructure.

When audited, you will be required to furnish comprehensive reports that detail your compliance and security adherence. Ultimately, the auditor is acting in the interests of the data and the owners of that data. They want to see if that data, or the assets that touch it, have been compromised. There are a lot of records you’ll have to compile and analyze in order to deliver what the auditors request. A Plan of Action and Milestone Template (POAM) will be created which will guide you, under the direction of the auditors, back to a state of compliance.

The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there's also the opportunity cost. Managing compliance distracts a highly skilled part of your IT team from performing more business-critical functions.

Two things need to happen if you truly want to be in control of compliance management and be prepared for audits:

  1. You need a tool that can continuously monitor the entirety of your cloud environment;
  2. You need to automate compliance assessment to determine where there might be failures and risks.

Some solutions will deploy agents within your infrastructure - avoid that because it will just give you more to manage. An agent-less, cloud-native solution will work continuously on your behalf and according to the requirements of compliance standards when your data is in AWS, Azure, or any public cloud. You can then use your time more effectively in creating remediation processes that can also be triggered with a cloud-based monitoring and risk assessment solution.

Audits are necessary and actually help you improve your brand value. When validated to operate under specific standards, they open new business potential for your enterprise and increases your potential audience. The actual work of being audited, however, is a pain in the neck unless you've used a cloud monitoring solution that helps you avoid compliance issues and track all your compliance and security activity. When you've done that, your audits still won't be fun, but they'll be a lot less painless and your organization will avoid unnecessary interruption.

 

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:19:01 PM
Re: ISO 27001
Dr.T: It's also a component referenced in the NIST Cybersecurity Framework at various layers.

The problem, of course, is that so few people know what it actually, er, says...because of its proprietary nature. :/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/28/2017 | 4:17:53 PM
Re: Tools
@Dr.T: Interesting. Can you share a bit more about your experience w/ TripWire -- your use cases, etc.?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:38:54 PM
ISO 27001
ISO 27001 is one of the international standards as an information security management system that certifies organizations adhering to proper security rules and commonly accepted best practices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:34:36 PM
Re: Tools
"There are a lot of good tools out there" One of them is Tripwire I had experience with, good security intelligence tool.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:33:37 PM
Re: Tools
"Most organizations still operate manually in this regard." Good point. Most of these operations are mainly manual for many companies.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:59 PM
Re: Very useful article about Cloud Audit preparation
I agree, it is a good paper providing good information.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/27/2017 | 4:31:18 PM
Continuous auditing
Continuous compliance requires continuous auditing, that can only be achieved with the proper tools.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/27/2017 | 9:43:59 AM
Tools
There are a lot of good tools out there (if used properly and if their limits are understood) for maintaining compliance with IT/security policies. Relatively few tools, alas, exist for data governance frameworks or global legal compliance frameworks. Most organizations still operate manually in this regard.
TechnologiesHive
100%
0%
TechnologiesHive,
User Rank: Apprentice
8/25/2017 | 11:04:37 AM
Very useful article about Cloud Audit preparation
Thanks for very deatiled post regarding effective audit preparation, was a good read!
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15151
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
CVE-2019-15149
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
CVE-2019-15145
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
CVE-2019-15146
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
CVE-2019-15147
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.