If you work for a company in a regulated industry, or just have internal controls that must be met, you’ve likely been accustomed to a regular cadence of data gathering, analysis, reporting and maybe even some last minute scrambling to get ready for the next audit cycle. That’s the status quo.
What Happens When the Status Quo Changes?
At Cloud Technology Partners, we often see our clients making a radical shift away from the status quo, as they migrate existing applications and services from well understood and controlled on-premise or data center environments, to public cloud environments like AWS.
Let’s think about the potential impact to organizational stakeholders from such a transformative technology change:
- The CISO. With applications running on AWS, the CISO is still accountable for the protection of data for both the company and the client, as well as ensuring and attesting that all regulatory and compliance requirements associated with those applications are met.
- The application owners. With applications running on AWS, the application owner or owners are still accountable for understanding and implementing the requirements and controls to achieve compliance with applicable regulatory frameworks and standards.
- Line of Business owners. With applications running on AWS, the Line of Business owner is still accountable for business performance and ensuring that their products and services are compliant with applicable regulatory frameworks and standards.
- Audit staff. Auditors are still responsible for working cross-functionally to help the organization understand and interpret compliance requirements, to facilitate regular audits, and for representing the company with external auditors.
With that, what’s changed? From a regulatory and standards compliance standpoint, nothing. The business is still responsible for ensuring its applications and services remain compliant with applicable regulations and standards.
The big change, of course, is where your workloads are running. For the purpose of this article, let’s say you are migrating your applications and data to Amazon Web Services. No matter the reason for why you’re moving to AWS, it introduces significant challenges to achieving and maintaining compliance, including:
- Experience. Most IT teams were assembled to build and maintain applications running in existing data centers. Moving to AWS means re-training, trial, and error, adopting a DevOps culture to truly automate the pipeline, new tools, etc. It takes time to re-train a development team to achieve a high level of competence and productivity. That dynamic environment creates opportunities for controls to veer out of compliance. Wouldn’t it be great if you knew when that happened?
- Configuration management and validation. One of the benefits of AWS is the agility it introduces to the business. You can move more quickly than ever before because it’s simply easier to spin services up and down to test ideas. Automation is a beautiful thing! But a side effect of moving quickly is often the loss of control as configurations and services change.
- New tools. CTP recommends a number of tools with our Minimum Viable Cloud (MVC) design to help with security, configuration management, and compliance. But these tools are likely new to the organization. You need time to learn how to configure, test, run, remediate, validate and document, before feeling comfortable that you have the right controls and visibility in place to achieve and maintain compliance against applicable standards and frameworks.
- Uncertainty. Will you be able to achieve the same level of visibility and control over your environment, applications, services, and processes as you’ve had in the past? As senior leaders become more and more accountable for compliance, the need to provide that executive level visibility becomes more urgent. Uncertainty won’t cut it for long.
The implications of not dealing with these challenges head-on could be that you are at a higher risk of being out of compliance and worse yet, not knowing until you begin preparing for an audit in six months.
What Happens Next?
We encourage our clients to consider a continuous, data-driven approach by building a program to achieve and maintain compliance while moving to, and operating in, AWS.
Frequent, Data-Driven Compliance Assessments.
Continuous development and integration techniques afford developers the ability to make and implement changes to their applications and their AWS infrastructure frequently. This necessitates frequent testing, making sure that visibility to any changes to applications and associated data is provided on a continuous basis to compliance and risk teams, as well as application development teams, for remediation. Continuous monitoring, testing, and evaluation are critical when you consider the dynamic nature of AWS.
A Holistic, Program Management Approach.
Achieving and maintaining a state of compliance readiness takes a village. Getting the data is good, but what you need is a program to make use of that data. Organizations need to consider tools and training, data and reporting, incident and event management, change management, as well as program-level governance and oversight. Cross-functional representation from the stakeholders, like the CISO, the application owners, the Line of Business owners and the audit team, must be evident and accessible to senior executives who, in turn, need to make compliance a priority.
Achieving compliance is not easy! According to a recent McKinsey & Company report on progress towards achieving compliance within global financial services organizations, many are actually losing ground as they consider the prospect of the rapidly evolving regulatory landscape, future investments, and other factors.
Failure in this arena is not an option. And while AWS does alter the playing field, the right approach and commitment, with organizational support, will ultimately lead you to success. Fortunately, CTP can help.
Managed Cloud Controls.
CTP recently introduced Managed Cloud Controls, a suite of next generation managed services which serve as the foundation for a programmatic approach to delivering a high level of governance, visibility, and control for an enterprise cloud program. One of the first services available within the Managed Cloud Controls family is Continuous Compliance for AWS.
Continuous Compliance for AWS delivers data-driven, real-time regulatory compliance readiness for your enterprise. We’ve developed a solution for establishing and maintaining a state of visibility and control of applications running on AWS, against one or more regulatory frameworks or compliance standards. To accomplish this, we:
- Harnessed the experience gained over hundreds of enterprise security engagements
- Added regulatory expertise
- Supplied the right tools to provide real-time visibility at all levels of the organization
- Delivered drill-down capability to get to the heart of control failures quickly
- Provided experts to help solve technical and regulatory problems with remediation