Passing a compliance audit in the cloud doesn’t have to be hard

Companies are required to comply with regulations that set standards specific to financial and size thresholds, industry type, customer categories, or other parameters. But audits can be frustrating for companies that use cloud services and rely on the provider to ensure all of the actions necessary to comply. Fortunately, it doesn’t have to be hard to pass the audit. There are ways to ensure compliance without making your company completely reliant on the cloud provider.

Cloud services and foggy compliance issues

Certification is the proof that compliance is met and the requirements vary according to the standard applied (e.g., SOC2, FedRamp, ISO or PCI-DSS). In each case, an audit measures the degree of compliance and reveals any shortcomings. Certification is detailed documentation containing precise accounting of every line item for which a regulation requires a company to align its actions.

Shouldn’t this compliance exercise just be a matter of making a checklist and working your way down it until done? Sometimes that is exactly the right answer and the best practice. But it’s difficult to check off itemized boxes when much of the proof of compliance is tucked away somewhere within the cloud provider’s operations. Simply saying your cloud provider is compliant is not enough because ultimately the law holds your company liable and not the provider.

For example, perhaps you have workloads on AWS where the speed, scalability, and other features are essential to completing the work in a timely manner and on budget. However, those workloads require additional security above and beyond those that Amazon offers, particularly to fill the gaps exposed in the “shared responsibility” model common among providers.

Your company takes compliance and security very seriously, but you’ve no idea what or how to layer on top of AWS’s existing security and compliance protocols to achieve levels necessary for compliance certification.

In this case and others, passing a compliance audit may prove particularly problematic even though your company is committed to performing at or above baseline legal requirements. Compliance issues can occur despite your company’s best intentions and best efforts. Reviews can be triggered by your company’s latest growth spurt, a supplier or partner’s actions, or an expansion of your business model into a heavily regulated field.
In these and other scenarios, audits are suddenly far from ordinary exercises and the stakes are likely raised significantly.

Adding compliance trails in cloud environments

The secret to resolving compliance and security issues before they escalate into costly audit penalties is to proactively add an automated compliance and security management system in the cloud environment. This way your company can take advantage of all the security benefits offered by the cloud provider while also managing other security aspects critical to your company’s operations while also providing an audit trail that can be used to help verify compliance.

In short, your company needs the means to detect specific issues and correct them prior to an official compliance certification audit. The top areas that auditors check are all centered on data access. That’s understandable given that Gartner predicts that “by 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.”

Cloud security automation can scale along with your workloads in cloud environments and correct compliance issues and security vulnerabilities as they occur. Your company should consider the following when selecting an Identity Access Management (IAM) product to use in cloud environments to automate corrections and ensure compliance.

• More easily visualize the current IAM posture and get alerts about excessive permissions
• Get proof of regulatory compliance and data hygiene along with verification that relevant assets can only be accessed from specific areas in the application
• Monitor any changes in the application that require updates in its security policy
• If needed, create a new security policy that reflects the needs of each cloud-based asset
• Ease of deployment in the pre-production and production environments

Takeaways

In summary, answering auditors’ most common areas of concern through proactive and automated management systems is a smart way to ensure security and compliance and improved audit processes and outcomes. Specifically, the takeaways of this approach are:

1. Validating who and which cloud services have access to your data as well as what kind of access, such as read, write, or delete. Has the type of access changed? If so, by who and why? This information is essential in detecting privilege escalation, as was the case in the SolarWinds attacks.

2. Take an inventory and maintain it. Know where you store data and other things that are considered sensitive from a security or compliance perspective.

3. Make sure you can enforce regulation on your entire infrastructure, from development to production. Sensitive data typically resides in all of the environments, so actively protect more than just the production environment.

Once the automation is in place in the cloud, passing audits will be a matter of routine rather than a source of anxiety.