AWS Data Compliance: 4 Tips for Decreasing Audit Times
When we talk to customers about their greatest concerns about moving workloads to the cloud, inevitably one of the top barriers is compliance-related activities. They feel they have an understanding of the technology, how it works and how it will be implemented. But they still have concerns about how they will deal with audit / regulatory compliance issues. In addition, companies are always looking for ways to decrease the time and complexity of their audits.
The bad news is that moving workloads into the cloud will nearly always increase the complexity of an audit, thus increasing the time it takes to conduct the audit. How complex the audit will be is determined by many factors, some of which can be controlled by the enterprise, but some that are inherent to auditing in the cloud. The good news is that there are steps that a company can take to decrease the complexity of the audit, and hopefully decrease the amount of time auditors spend evaluating your cloud infrastructure.
Companies considering moving their workloads to the cloud should keep the following audit tips in mind:
1. Understand The Auditors
Before a company embarks on their workload migration to the cloud, consult the auditors that will be evaluating the cloud environment. Many of the large auditing firms have finally released guidance about how best to implement cloud solutions, and can share the controls that they will be using to evaluate workloads in the cloud. Many times, it is far easier to implement these standards at the very start than to try to retroactively remediate a particular control.
2. Understand The Regulations
Just as it is important to understand those that will be evaluating the environment, it is also important to understand the specifics of the regulations that govern your company. For example, there may be regulations about where a company’s data can be stored (because of the sensitive nature of the data). Most of the cloud providers (including AWS) have the ability to control where workloads will be hosted, but it is important to fully understand how data locality will impact your cloud solution. AWS already has evaluated many of the common regulatory standards, and provides guidance how to best implement a cloud solution within their environment.
3. Decrease Scope
While most auditors will never suggest that they would prefer to audit less (they are usually paid by the billable hour), they will also admit that decreasing the systems that are part of an audit will generally decrease the cost, time and complexity of an audit. Companies should consider how systems are connected and develop an architecture that minimizes the possible devices that are in an audit scope. AppGate for AWS embraces this concept. It is a Software-Defined Perimeter solution that delivers highly granular access control, reduces audit scope and provides detailed logging of user access and activities to efficiently feed audit request data needs.
4. Tools / Logging for the Cloud
Companies should take advantage of tools and capabilities specifically designed for the cloud infrastructure to decrease audit complexity. Logging from cloud resources should be collected by a centralized and easy-to-manage log management tool. Security tools should have robust logging and event capturing capabilities. These tools should be able to correlate important events and generate reports for auditors to use as evidence of control compliance.
While certainly not a complete list, companies that use these suggestions before and after implementing their workloads in the cloud will find that their audit times will significantly decrease, and the brain damage that comes with dealing with compliance regulations will decrease as well.
As IT Professionals, regulatory compliance has become a major facet of our job responsibilities. But we should not let it intimidate us from taking advantage of the benefits of moving to the cloud.
You can find more information about Cryptzone here. The Forrester Research whitepaper “Forrester – “No More Chewy Centers: The Zero Trust Model of Information Security” can be found here. You can also read additional Cryptzone blogs by going here.