I’m often surprised that as organizations make the move to the cloud, achieving compliance (whether PCI DSS, NIST 800-53, SOC, ISO, HIPAA, etc) is often an afterthought. The cloud providers themselves maintain aggressive compliance programs and adopt new standards quickly, so many folks figure that their part will be a breeze.
However, there are some factors to take into consideration that may make compliance in the cloud a bit more challenging.
1.) Auditors & Compliance Officers Don’t Understand the Cloud
The fast-changing technology of the cloud has left auditors and compliance teams in the dust. They struggle to get up to speed with the environments and applications that you’ve built out, let alone keep up with all the changes that the public cloud platforms introduce continuously. In a shared responsibility model it is important to understand what controls are the responsibility of the cloud provider and what controls are the responsibility of the internal team. Do you have a clear understanding of this and can you explain it to your auditors and compliance teams? It is in your best interest to teach and coach the auditors and compliance officers about the cloud, your environment, and the safeguards you’ve built out to ensure security and compliance.
2.) The Disappearing Change Management Committee
Gone are the days when we could get our environment to a compliant state and then lock it down. Compliance would be managed by Change Management Committees and formal code-check in processes that would validate against our secure and compliant state. Today, more and more, the change management committee has been replaced by the conscience of the DevOps team. Too often when the pressure to deliver is high, those change management processes go by the wayside putting compliance at risk. The teams that are most successful at managing cloud compliance have introduced change management as a key component of their Continuous Integration / Continuous Deployment (CI/CD) workflows.
3.) Cloud Services are Ephemeral
That server that you just audited isn’t there anymore...now what do you do? As your organization leverages the dynamic nature and flexibility of the cloud’s elastic infrastructure to manage costs your environment may be composed of services that are here today but gone in five minutes. The requirement to prove 3 months from now that those no-longer-there services were set up in accordance with best practices can be a real drag. Too often, teams are burdened with the task of sifting through logs to produce that evidence -- a time consuming process and frustrating, for sure, when the service was spun up for just a short period of time.
4.) You Need to Build Trust from a Position of Confusion
The external audit process is all about gaining the trust of the auditor and convince them that you manage your business in a compliant state 24/365, and not just in the last 3 days before the audit. This can be especially hard if you’re doing this from a weakened position if they’re already a little unsure of the cloud technologies that you’re using.
Many of the people I talk with lean heavily on automation to help build up this trust during their audits. If you’re building out automation to manage your cloud infrastructure during the early phases of development, you should not forget to build out automation to help you with evidence gathering once you’re in production. This can include using self-described systems, log aggregation, and the use of 3rd party tools that can provide and independent view of your systems.
I don’t mean to imply that compliance in the cloud is harder than in a data center environment, it will just require some new processes, new tools, and some additional training to get everyone up to speed. By taking advantage of automation tools for security and compliance, teams can simplify the process of inspection and reporting which frees up resources to attack other projects.
The bottom line is this: don’t move into the cloud and assume you can manage compliance the way you always have. Use cloud automation to your advantage for reporting, management and policy enforcement. Leverage 3rd party tools that measure the compliance of your cloud environment and allow the auditors to see that compliance isn’t just something you did in the past days before the audit, but rather something that you do day in and day out. You’ll find over time that automation will get you to a state of continuous compliance faster which will only make you, your auditors and your boss happier.