How to Ensure Compliance in the Cloud Between AuditsDecember 7, 2012 1 Comment
Organizations that use cloud infrastructures cannot go on faith alone when it comes to compliance standards such as PCI and HIPAA. Hackers know as well as any IT pro that audits occur only once or twice a year. They count on lax oversight in between these audits, and that’s precisely when they make their move. What happens between audits to ensure that compliance standards are met has become mission critical. Here are some tips to help your company meet that need proactively.
Shift your mindset about audits
You probably get your car checked once or twice a year and pay for the usual upkeep such as oil changes and brake fluid. But every day when you get in your car you have a set of tools in your line of site that help you monitor how well your car is performing. You have a gas gauge to tell you when you need to fill up. Various lights and sounds go on when you need the engine checked or even when someone isn’t wearing a seatbelt. Could you imagine driving your car without those checks and balances day in and day out? Of course not. You’d panic. So should it be for your cloud infrastructure. Too many CIOs check the audit off the list and consider their infrastructure clean and safe. You need to start looking at audits like your bi-annual lube, oil, and filter. Then put controls and systems in your line of sight that will help you monitor compliance all the days in between.
Monitor constantly. Yes, really.
Constant monitoring for cloud infrastructure is time consuming and costly. There is no doubt about it. But the time and cost on the back end is far greater if you suffer a breech. Here are some things you can and should do at regular intervals:
Reviews logs – Frequency: daily. Reviewing logs is very easy way to spot abnormalities and deal with them before they become problems.
Patching – Frequency: once a month. Patching is not something you can skip when it comes to the cloud. It can mean the difference between a small, insignificant leak that’s easily corrected and a brand-destroying disaster.
Vulnerability Scanning – Frequency: once a month. Run scans to make sure that your vulnerability management program is working as it should. It’s low-hanging fruit, easy to do, and can prevent many attacks.
Access Reviews – Frequency: quarterly. Is it important to review access lists to critical assets frequently to ensure that only those users with a need to know have the access that is appropriate to their function (least privilege).
Insist on Transparency from Providers
These daily, weekly, and monthly control checks can’t stop at your own internal team. You must ask vendors what their controls and management schedule looks like, and ensure these measures are being carried out. Here are some questions to ask cloud vendors:
- Can you provide internal documentation that validates your review process?
- Can you provide regular documentation that shows compliance needs are being met and monitoring is being conducted?
- How often do you conduct audits?
- How will you respond in the event of a security breech?
- Do you apply a shared security model?
Stay Current on Standards
Organizations like the Payment Card Industry Security Standards Council (PCI SSC) regularly update their standards and recommendations based on evolving industry knowledge. Don’t lump checking their updates in with your bi-annual review and don’t count on your vendors to do the same. You need to be proactive in visiting the websites for PCI, HIPAA, or whatever other standards your company adheres to and see what’s new on a quarterly, if not monthly basis. This is also a good way to stay prepared should any major changes come down the pipe that you will need to be aware of for your next audit. There’s nothing like learning a couple of weeks before your audit review that you need to completely overhaul certain pieces of your infrastructure or processes. With major evolutions in cloud, including mobile and in networking, you can absolutely count on major standard evolutions occurring quite frequently.
If all of this sounds like a significant load of new work on your plate (as if you’re not doing enough), you’re right. Staying current on compliance is a lot more work, but it pays off in spades. This may mean hiring one or two more pros for your team whose sole job is to monitor the infrastructure and cloud vendors, or you may decide to outsource it, which is perfectly acceptable as well. Either way, you must do right by your customers in this effort. As with anything else, once you do get the system in place it’s as easy and systematic as driving a car.
Kurt Hagerman, Director of Global Compliance
As the director of global compliance at FireHost, Kurt Hagerman oversees all compliance-related initiatives. Hagerman is responsible for helping FireHost with the attainment of ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program where levels of compliance are by-products.
Hagerman was a senior engineer for both Exodus Communications and Telesphere Networks. He also spent time as the managing director of Coalfire Systems. Hagerman holds his Bachelor of Science degree in Industrial Management from Purdue University.
CLOUD COMPUTING, Fresh Ink