When companies kept their applications in a data center, compliance was a more straightforward process. It still required energy and diligence, but the tasks were predictable. Servers and software were in the back room, paid for, running on set schedules, year after year. Workers maintained specific legacy systems that they were well trained on, configurations followed established patterns, and workloads were more easily tracked alongside company initiatives. Compliance could be handled as a quarterly or even annual ritual.
Cloud has flipped the compliance process upside down. It’s introduced a whole new set of variables – new tools, new configuration and approval processes, new job roles and new rules for companies to follow. The changing environment has turned compliance into a moving target that’s harder to control. Compliance can no longer be managed once or twice a year. In the cloud, compliance needs to be managed continuously.
To get cloud compliance under control, organizations must first understand their scopes and their ability to handle those scopes. The scope will vary for each organization, and even within an organization, based on issues such as: the regulations controls themselves; the complexities of requirements demanded by the industry; the geography; the impact to the business if it’s out of compliance; and the level of cloud maturity and readiness to take on the job and do it well.
Let’s look at these issues in more depth to evaluate how to get your cloud compliance under control.
The Impact of Cloud and Automation on Compliance
Looking more closely at cloud’s impact, it’s easy to see how challenged organizations are when it comes to maintaining control and, just as importantly, to demonstrating that they’re maintaining control.
Above all else, cloud helps organizations improve their agility. They’re not hidebound by server policies and schedules, so they make rapid and frequent changes to their environments. Cloud allows them to dial services up and down according to needs and desires, and to create and deploy software rapidly using continuous integration and continuous delivery pipelines. Configurations that wouldn’t change for months, perhaps years, in the data center now change in minutes.
The app delivery process used to be concentrated; in the cloud, it’s decentralized. Many developers and DevOps personnel play a role in software delivery. Some may not have experience pushing changes to test or to other environments. This adds a layer of risk.
The different cloud environments create a layer of complexity. The trend today is for companies to embrace multiple cloud environments – such as AWS with a combination of Azure and/or Google Cloud Platform, or other combinations. Each new tool and new environment, increases the learning curve for a staff that’s already struggling to stay current in their training. Plus, the cloud providers themselves are constantly innovating, adding new services and new techniques.
Here’s the bottom line. Cloud engagements are so dynamic, they require new, updated compliance programs just to keep up with the commonplace changes in their environments. You can’t check every six months and hope for the best. You need to check continuously that the programs in place are robust and happening continuously. Therefore, you need a continuous monitoring and remediation program to ensure that those services running in the cloud are compliant.
The Impact of Cloud on Highly Regulated Industries
Compliance challenges, of course, vary by industry. Moving to the cloud exacerbates the impacts of already complex, interrelated regulations and oversight in highly regulated industries such as financial services and healthcare.
In any industry, the penalties for noncompliance are stiff. Companies face potential fines, loss of business, loss of clients, firings, suspensions – even potential jail terms in certain circumstances. In retail, for example, companies are grappling with the effects of the new PCI regulation requiring a business to protect credit card data and customers’ identities. Companies that don’t comply may have to pay more for credit card transactions – or lose the ability to use credit cards at all. Noncompliance is clearly not worth the risk.
Geography Plays a Role
It would be one thing if companies were able to rework compliance processes globally, just based on the changes imposed by the cloud. But compliance rules in one locale don’t always mesh with those in another. Take GDPR and FCA, for instance. These are a pair of new regulations created in the UK that require businesses to protect the privacy of individual data. They were created to govern individual data in Europe, but they apply to every global business that touches European consumers.
These are just the latest examples of geography-specific regulations that tilt the playing field for companies preparing compliance plans. As cloud adoption increases, expect to see more government actions to ensure that data is accounted for and protected.
Compliance Needs to be Monitored and Updated
There’s a misconception that monitoring for security and for compliance amount to the same thing. Security is a big part of compliance, to be sure, and having tools that produce reports about threat detection and security preparedness are critical to the survival of any business.
But there’s more to compliance monitoring than keeping track of security threats. Regular monitoring provides continuous updates and assessments of issues – in the cloud and beyond – that are evolving more quickly and unexpectedly than ever before. It provides the domain-specific data that companies need to successfully manage their compliance programs.
A number of banks are embracing this continuous, real-time monitoring trend. According to a May 2017 report by McKinsey & Co., as the scope of regulation widens, some financial institutions have “chosen to be ‘constantly materially compliant,’ a status just shy of full compliance, because of ongoing long-term remediation programs.”
The ability to review stats daily instead of, for example, four weeks before an audit, allows teams to spend more time moving their businesses forward rather than reacting to urgent issues. And real-time analysis pays significant dividends when it leads to early detection of trends. You gain the ability to take proactive steps to remediate and prevent minor issues from becoming critical issues.
Ultimately, real-time analysis of compliance readiness is the catalyst for creating a data-driven, fact-based approach to an organization’s compliance in the cloud program.
CTP’s Continuous Compliance
CTP’s Continuous Compliance delivers a holistic, program-based approach to both technical and process oriented compliance. With continuous assessments of cloud environments run against key regulatory frameworks like PCI, NIST and others, Continuous Compliance delivers real-time data to your business and to CTP to drive remediation programs forward.
As regulations and standards evolve, CTP identifies those changes rapidly and adapts client policies to remain in compliance. Clients benefit from reduced risk of gaps in compliance, less time and fewer resources required to constantly research and implement controls, and faster and less labor-intensive audit preparation.
Instead of continually addressing urgent issues, your development teams have more time to focus on the work at hand. With the right tools (and the right insights), they can be more productive and execute more compliant software builds. You experience fewer drills, tighter operational security and better visibility into risks before they become critical issues.
Continuous Compliance also enables more focused and informed program-level oversight and governance to help you successfully steer your business forward.
How do you get your cloud compliance under control? Here is a list of the priorities everyone should consider:
- Continuously assess and monitor activities to identify risks and potential sources of compliance exposure
- Have a well understood process for remediation of control failures and identified risks
- Take proactive steps to review cloud application architectures and corresponding controls to ensure compliance readiness
- Ensure that those responsible and accountable for compliance and remediation within the organization have access to real-time data about control failures
- Regularly update your implementation of regulatory or IT control frameworks; the rules can and do change
- Ensure compliance readiness is a key priority of the CIO, CISO and business unit leaders, in addition to audit staff
These are the key ingredients to a solution that puts you in control of compliance in the cloud. Learn more about CTP’s Continuous Compliance solution.