Compliance is a word that continues to be top of mind for security practitioners around the world. Over the last decade or so, compliance has gone from a one-year activity to check a regulatory box to a business enabler that’s no longer optional for companies in any industry. SOC 2 is the framework most U.S.-based companies are familiar with because it’s become the de facto standard for proving security compliance for companies trying to do business with other companies. SOC 2 puts a ton of stress on companies because of the evidence requests from auditors, operational disruption of most departments, and the overall cost of the audit and tools to support the security program.
With the increase in compliance requirements to do business in the United States, the compliance technology industry has grown as well and innovation is at an all-time high. It’s not just compliance tools but the security industry in general has seen some amazing advancements to help companies collect technical information to assess whether they are meeting security safeguards including compliance frameworks. This advancement in technology has changed the way companies prove compliance. Traditionally, proving compliance meant collecting a bunch of screenshots from different tools and meeting with auditors in person for days to walk through the evidence and answer repetitive questions. Fortunately, nowadays it’s a lot easier to collect information because of governance, risk, and compliance (GRC) software tools, security tools, modern human resources, ticketing, and other technologies. With the COVID-19 pandemic, in-person audits are a thing of the past and audits now take place over Zoom. Shared tools are utilized to exchange evidence with auditors.
The Challenges with Modern and Traditional Cybersecurity Compliance Methods
One of the toughest parts of running a GRC program, or a security program in general, is often limited budgets. Security leaders know the pain of having to explain to business leaders why they need to invest in another security tool. Security software tools can be pretty expensive and in the compliance industry companies can expect to pay between $20,000-$30,000 per year to license software to help you manage your compliance program. This is costly. These tools promise a streamlined process for your audits with limited to no manual evidence collection but in reality, there is always a ton of additional work needed to successfully navigate an audit like SOC 2. There’s no perfect tool because a SOC 2 is still a subjective exercise with humans involved - different auditors have different skill sets. Different audit firms have different audit and quality control procedures which change the type of evidence that they will accept.
Let’s paint a picture of what this means. You invest 25K on a compliance software tool that sold you on the fact that it would make your audits easier and automate 90+ percent of evidence required from your auditors. In reality, your auditor is the one that determines whether or not the data that comes out of that compliance tool can be used for the audit or not. This is a risky and costly investment to make if you aren’t sure your auditors will accept the information provided by the tool.
Now, for those who don’t have a compliance tool and are still collecting evidence in the traditional way the challenge is all about time. Audits and other compliance activities are time-consuming and cause a large amount of operational disruption for the organization being audited. For example, a SOC 2 audit can involve people from human resources, engineering, security, legal, risk and compliance, the Board of Directors, executives, and others. Collecting evidence manually without tools typically involves individual security and compliance professionals meeting with members of these departments to discuss how they perform controls i.e. meeting with security engineers to determine how we perform network security, logical access, and data protection controls. After this internal meeting, the security engineering team and compliance professionals go through a similar time-consuming walkthrough with external auditors. Finally, the auditors send over a long request list that requires these same stakeholders to go out and collect evidence from the tools and upload it into another tool that the auditors use for review. If there are questions about these items or a lack of understanding, this adds to the time-consuming nature of the exercise.
There isn’t a magic pill that solves the time-consuming nature of a cybersecurity audit. However, there are ways that we, as compliance professionals, can make the exercise a little less painful for the people involved. One way that we can do that is by utilizing the tools that already exist on the cloud platform we have chosen to host our application. Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP) are the leading cloud providers in the world. Most companies have decided to host their applications on one of three of these cloud providers. Each of these cloud service providers (CSPs) has invested significantly into building up the security services available to customers hosting data on their platforms. They understand the shared responsibility model very clearly but they have made a conscious decision to make it easier for companies to uphold their end of the shared responsibility model with built-in purpose-built security services to solve important security and compliance problems.
Oftentimes companies rush out to invest in the latest and greatest tools to solve security problems when they are probably already paying or can pay a fraction less for a similar service on the cloud provider they are using. Similarly, the pain and time-consuming nature of collecting evidence outside of the platform adds additional work to the stakeholders involved in the audit. Fellow SANS instructor Clay Risenhoover often talks about “living off the land” when it comes to compliance. His viewpoint is that compliance professionals should focus on using tools that the teams are already using to collect and validate compliance information - let the engineers use the tools they are comfortable with. This concept is the core of this article, using native security services in the cloud can help us live off the land and use the tools available to our organization on the CSP we are already using.
The Advantages of Using Native Security Services For Cybersecurity Compliance
There are four key advantages to using a cloud platform native security services for compliance which include:
- They are designed specifically for the cloud platform
- Cost-effective
- Automated data collection and reporting
- Continuous monitoring and real-time alerts
By opting for security services built directly into the CSP, you can be confident you are using a security tool that was built specifically for how you are using the cloud. For example, most 3rd party tools make assumptions about how you are using a particular cloud provider. They may have an integration into AWS however they are only pulling data from specific regions or a specific type of compute data such as EC2 instances. But what if you are in a completely serverless environment and you aren’t using EC2s? What if your data is outside of one of the common regions they scan and don’t support the region you are in? These are common problems I’ve seen and they can be overcome by using purpose-built tools for the cloud provider. Most of the major cloud providers have security services that cover areas such as vulnerability assessments, intrusion detection, and network security. However, they also go a step further and have specific ways you can configure these services based on your use case. Good security requires context - security isn’t a one-size-fits-all-all. It’s tough to get that context when you’re assessing from the outside in.
Secondly, we talked a lot about cost in this article. While most security services on the cloud platforms are not free and you will incur some costs. The overall price tag is often fractions compared to what you would pay for a third-party tool that may not be collecting all the right data. One cool benefit of using these services specifically for proving compliance to a third-party auditor is that you can turn the service on to collect the information and then turn it off when you are complete. The on-demand, only pay-for-what-you-use nature of the cloud lends itself to those looking to reduce the costs of their overall security and compliance budget.
Additionally, collecting evidence in an automated fashion should allow for an easier audit process with your auditors. The days of having to send engineers out with a list of requests and they send back an email with 50 attachments of screenshots from the cloud console are over. Utilize the security services available to run an automated collection of data or generate an automated report that includes relevant metadata for the audit and you’re done. Auditors will care about completeness and accuracy, they will want to know that the data collected includes all the information necessary for the audit. I encourage companies that adopt this practice of using native security services to educate their auditors on this decision and the security services they’ll be using to gather data. Also, collect the evidence or reports on a recorded Zoom or live Zoom call with them. These two steps will help ensure your audit teams trust the information collected directly from the cloud provider.
Lastly, if you want to have a continuous compliance program where you are constantly monitoring for control failures or changes - that can be done easily on the cloud. There are built-in services that allow you to assess regularly whether controls are operating the way you intended. Having this type of monitoring built directly into the cloud provider is huge. You are not worried about a connection issue between a SaaS tool and the cloud. You no longer are worried if the right data is being collected regularly, you know it is because you monitoring directly at the source. When things change, you can set up alerts to inform you immediately and in some cases build in some auto-remediation to correct control failures that you don’t want exposed.
Conclusion
Cybersecurity compliance audits are not going anywhere. They are only becoming more important which is why we’ve seen such a rapid growth in the innovation in this space. While the innovation is exciting, it is important to make sure we examine if we are investing in tools that are duplicating the activities we can accomplish with our cloud provider. Adding additional tools is not only a costly decision but also increases your attack surface by introducing an additional third party into your data ecosystem. Each of the major CSPs offers native security services that their customers can use to prove compliance with multiple frameworks. In part 2 of this article series, we will examine specifically “How Native Security Services Aid in Compliance Audits.” We’ll discuss example services and use cases for security and compliance professionals to begin using today.
About the Author
AJ Yawn is Partner In Charge, Product & Innovation at Armanino LLP, and a Founding Board Member of the National Association of Black Compliance and Risk Management Professionals (NABCRMP). AJ has earned 6 AWS certifications including the AWS Solutions Architect-Professional and AWS Security-Specialty. Prior to ByteChek, AJ spent over a decade in the cybersecurity industry both in the US Army and as a consultant. He is a regular speaker for SANS Cloud Security curriculum events such as BIPOC in Cloud Forum and CloudSecNext Summit, and a co-chair of the New2Cyber Summit 2022. Learn more about AJ at https://www.sans.org/profiles/aj-yawn/
