Whether complying with government or industry regulations, security measures or company policies, the governance of cloud configurations is a critical action that organisations have to undertake when using cloud. Getting it wrong can be disastrous, resulting in lost or corrupt data, cyber incursions, customer data breaches or hefty regulatory fines.
Yet, while cloud adoption seems like a step into a high-tech future, you might be surprised to learn that often this critical task is not done by highly-paid data professionals, working day and night at banks of cutting-edge monitors and complex tools that do algorithmically magical things. Instead cloud compliance is often done using a spreadsheet. A big one.
Compliance exposed
Clouds hold a lot of data, and often, that data is in constant flux. Data can be easily updated, scaled up and back down, rewritten or deleted, all with a couple of mouse clicks or a few lines of code. The shorter time to value, one of the benefits of cloud, also means a quicker road to non-compliance. Even well-configured cloud environments can drift away from their original state over time.
It’s therefore important to make sure your cloud is being audited to ensure it doesn’t accidentally move into non-compliant territory. This could be as simple as checking whether or not your data is encrypted when it’s moving in and out of cloud services. But if your organisation is proving this by ticking a box in a spreadsheet to say ‘yes’ or ‘no’, not only is this extremely time-consuming, it’s prone to human error. How is that data being encrypted? What is the algorithm to achieve that? Has it been updated? Who can access it? All of these nuances filter down from a simple ‘encrypt data’ decision. And all those bits and pieces can change, all the time. So they must be checked and reported on, and potentially, fixed.
Point-in-time compliance checks, performed monthly, quarterly or annually are relevant, and necessary. But the always-on nature of cloud technology means that they barely touch the tip of the iceberg. If problems occur, it could be another 30 days, or a year, before they are reported and rectified. All of this can count against you in regulatory ramifications.
It’s unsurprising then that cloud practitioners have looked for better ways to remain compliant, with the least number of things going wrong, and for the shortest possible time.
Continuous compliance
Inspired by software engineering, where programs are now continuously developed and deployed iteratively, a bit at a time, cloud compliance can be maintained by continuously running code inside your cloud services. This means that cloud configurations and data can be monitored and reported upon in near real-time, ensuring that any errors found can be fixed in a timely fashion and personnel time isn’t spent slogging through spreadsheets.
The time spent on compliance checks is not to be underestimated. In our own cloud work with clients, across hundreds of accounts, we can receive over 35 million compliance check results every month. This means detection of a non-compliance configuration goes from days (using that big spreadsheet) to seconds. Just one change deviating from the allowed values results in a notification email arriving in an inbox almost immediately, a case opened, and a description given of why what’s been found isn’t compliant. A team member can then pick up the case for further analysis and remediation — instead of being stuck in the spreadsheet, sifting through, hoping to spot anomalies.
What to look for when automating compliance
There are a few key things to consider when automating your compliance or buying a compliance solution:
Compliance checks need to be highly customised. Native cloud tools are often too general in the rules they allow you to run, and therefore not fit-for-purpose. You may need to customise checks — for example, say you are keeping all your data private, except one block that the public needs to access. A tweaked rule will mean that you don’t get an error each time this piece is detected as ‘public’. You may also, as another example, want to check higher risk, ‘live’ environments more frequently than lesser risk test environments.
Continuous compliance needs to be economical to run. Yes, there might be a big financial consequence if things drift from being compliant. However, that doesn’t necessarily mean you should pay for a large assurance function.
Integration with upstream and downstream systems. Whether data is going up to cloud infrastructure or coming back down, non-cloud objects such as access and identity management (upstream) or notifications of compliance errors and case management (downstream), compliance needs to be in place. Compliance check in clouds needs to be well integrated with other parts of the existing IT or business operations.
Coming down to earth
If your cloud practitioners are spending time checking spreadsheets, it’s time to have a think about how things could be better. What could your people be doing to add value, instead of checking it? Are you sure you’re compliant, or are you really just ‘maybe’ compliant at a point in time? If you have millions of checks to make, is a manual process sufficient?
Deploying continuous cloud compliance systems and integrating them with your existing business and technology processes will help your business progress their cloud adoption with the certainty that a regulatory storm isn’t brewing above your heads.
