Automating cloud compliance

It's past time to get serious about continuous compliance audits in the cloud.

techy connected cloud

Fast facts

According to Forbes' Roundup of Cloud Computing Forecasts 2017, released on April 29, 2017:

With the impressive Cloud growth shown above in mind, let us start off with the latest recommendations from the Cloud Security Alliance, Domain 4 - Compliance and Audit Management which is part of their Security Guidance- Critical Areas of Focus in Cloud Computing V 4.0. For a quick primer on Cloud Compliance see my recent Blog article “Achieving Compliance in the Cloud” 

CSA’s recommendations for compliance and audit management

Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state.

Cloud providers should clearly communicate their audit results, certifications, and attestations with particular attention to:

  • The scope of assessments.
  • Which specific features/services are covered in which locations and jurisdictions?
  • How customers can deploy compliant applications and services in the cloud.
  • Any additional customer responsibilities and limitations.
  • Cloud providers must maintain their certifications/attestations over time and proactively communicate any changes in status.
  • Cloud providers should engage in continuous compliance initiatives to avoid creating any gaps, and thus exposures, for their customers.
  • Provide customers commonly needed evidence and artifacts of compliance, such as logs of administrative activity the customer cannot otherwise collect on their own.

On the other hand, cloud customers should:

  • Understand their full compliance obligations before deploying, migrating to, or developing in the cloud.
  • Evaluate a provider’s third-party attestations and certifications and align those to compliance needs.
  • Understand the scope of assessments and certifications, including both the controls and the features/services covered.
  • Attempt to select auditors with experience in cloud computing, especially if pass-through audits and certifications will be used to manage the customer’s audit scope.
  • Ensure they understand what artifacts of compliance the provider offers, and effectively collect and manage those artifacts.
  • Create and collect their own artifacts when the provider’s artifacts are not sufficient.
  • Keep a register of cloud providers used, relevant compliance requirements, and current status.

The Cloud Security Alliance Cloud Controls Matrix can support this activity.

I want to focus on the first Sentence of the CSA’s recommendations above: “Compliance, audit, and assurance should be continuous. They should not be seen as merely point-in-time activities, and many standards and regulations are moving more towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state”

As I mentioned in my last article referenced above, we cannot continue to do static point in time compliance audits in the cloud environment. Why? Three main reasons:

  1. Banking, Healthcare/HIPAA and Federal sectors are highly regulated to start with.
  2. The cloud is a mixed environment where depending on the type of cloud model selected you have different companies sharing the same server and
  3. The cloud adds some confusion because we have the question of who is responsible for security.

I’m speaking of the differences between IaaS, PaaS and SaaS.  We know that in IaaS the Consumer is mostly responsible for Security, while in SaaS the provider is mostly responsible for Security. IaaS is a mixed or shared responsibility. The legal contracts between the respective parties should address these critical areas of responsibility. All of this adds up to a lot more Risk if the proper controls are not in place and working flawlessly. We need assurance and in this case continuous auditing to the best way to achieve it.

sec responsibility George Grachis

In the Legacy environment, we take static IT controls and manually inspect 20 or 50 or more controls depending on the Compliance framework. See ISO, NIST Cyber Security Framework, PCI DSS, SOC 2 and other audit formats all referenced in the CSA’s Cloud Controls Matrix. We manually inspect and verify the operation of each control. For Example, For SOC 2 Compliance, Consider the following control: Control Access privileges are reviewed quarterly to determine if access rights are commensurate to the user's job duties. Evidence: Access is modified based on the results of the reviews. Doing this manually takes a lot of time, not to mention its constantly changing in a large Cloud environment. Therefore, we write a script to run this weekly. This is a good start but how do we tie this all into a single management console that instantly shows continuous compliance that an Auditor can review and do manual checks and verifications as necessary.

Let us take a quick look at some possibilities for continuous audit automation. If your organization has, an integrated customer service and ticketing application like ServiceNow you will want to consider going this route as integrating into a corporate management system can provide many benefits to the business.

I have not yet personally tried these products, nor can I endorse them, I list them here to show some of the current offerings for continuous cloud auditing tools. I believe these tools deliver many benefits vs our manual methods of years past, we need their automation to meet the demands of the ever-changing cloud risk environment.

Option 1:  Service Now GRC Module.

ServiceNow GRC -  Demo 

Some Key features include:

Policy and Compliance management - Automates and Manages policy and compliance lifecycles, and tracks compliance activities.

Risk Management – Adds fine grained business impact analysis and continuous monitoring of critical controls.

Audit Management – Use Risk data to scope and prioritize audit plans, and automate cross-functional audit processes.

Vendor Risk Management – Continuously monitor, detect, assess, mitigate and remediate risks in vendor ecosystems.

Option 2: GRC, Compliance Software

Multiple Compliance Frameworks - Get content and upgrades for COBIT 5, COSO, FedRAMP, HIPAA, ISO/IEC, NIST, PCI-DSS, SOC 1/ 2/3, SOX and more

Compliance Automation – manage and track risk assessment processes, use workflows to combine project management with compliance initiatives.

Reporting Tools - Track compliance progress: consolidated controls gap analysis, Track audit progress: evidence collection, issue remediation, control conclusions


Cloud computing is expected to grow to $162B by 2020, and as usual, the Technology being pushed out is ahead of our ability to secure and regulate it. The key to reducing and limiting exposure to security-related risk are tools with a continuous automated compliance verification system that provides business clients with complete compliance visibility.

An effective and efficient cloud auditing solution must:

  • support large-scale cloud environments
  • offer a high level of automation
  • allow for near-real-time compliance visibility without compromising stakeholders’ privacy and the confidentiality of sensitive data
  • fully support multi-tenancy
  • provide modular compliance verification to address several standards.

The Cloud Security Alliance is doing a lot to assure that leading edge, best practices are being pushed to the forefront of cloud computing. Visit the CSA’s website to get acquainted with the latest tools and user groups that are focusing on taming the cloud in 2017 and beyond.

This article is published as part of the IDG Contributor Network. Want to Join?

Security Smart: 4 Common Password Myths ... Debunked!