Audits are an essential, albeit lengthy, part of an organization’s risk management strategy. Before the advent of cloud computing, compliance and audit teams had manual procedures and checklists to keep everything under control.
Then came the cloud with its promises of speed and scalability. Brilliant! Except for risk managers, whose physical, stable, on-site environment turned into an ever-changing virtual environment.
“One of the questions we’re often asked as auditors is, ‘How do you maintain an environment of control over resources that weren’t there yesterday but are there today?’” said Shariq Qureshi (pictured right), Senior Manager at Deloitte Touche Tohmatsu Ltd.
Qureshi and Merritt Baer (pictured left), Office of the Chief Information Security Officer at Amazon Web Services Inc., spoke with theCUBE industry analyst Dave Vellante of AWS during an exclusive broadcast on theCUBE, SiliconANGLE Media’s live stream: Force Studio. They discussed the challenges that the cloud has brought to risk, compliance and assurance, and how Amazon Web Services Inc.’s Audit Manager can help address them. (*Disclosure below.)
AWS automates security, compliance, and internal audits
The challenges of managing risk in a cloud environment go beyond its dynamic nature. There is the ever-growing rush of data that needs to be collected and effectively proven. And, of course, budgets have not increased with the workload. Isolated teams waste time and money duplicating sets of evidence, a problem exacerbated by overlapping global, regional and local regulations.
AWS Audit Manager automates the compliance and audit process, relieving risk management teams of the endless task of trying to establish unified controls in an inconsistent multicloud environment.
“Audit Manager is a unique service,” said Qureshi. “It is specifically designed and tailored for the second line, security and compliance, and a third line, internal audit.”
Deloitte is a leading global assurance, risk management and assurance consulting and advisory firm. The company immediately recognized the potential of AWS Audit Manager and guides its customers through the design, implementation, and ongoing management of control frameworks in Audit Manager tailored to each organization’s unique security and compliance needs.
“Just like a cartographer has a map to see the full view of what he’s designing, Audit Manager does the same from a cloud perspective,” Quereshi said.
Most companies have multiple frameworks for SOC-2, GDPR, HIPAA, and other regulatory requirements. These are built into Audit Manager so organizations can select one and assess their cloud usage and status against it in terms of control posture and security hygiene. A recently added feature allows users to plug in APIs from third-party sources.
“So now you’re not just looking at a single cloud provider; You look at your entire digital ecosystem of services, your tools, your SaaS solutions that you use to get a complete, comprehensive picture of your environment,” Qureshi explained.
Building Audit Manager was not an easy process, according to Baer.
“It’s not a snap of the fingers,” she said. “The translation between examiners and us requires work [at AWS]; and it also requires work for customers to understand how to improve their mindset about compliance,” she said.
Some of the processes are traditional, such as B. checking internet-connected endpoints and pruning permissions, but Audit Manager includes automated reasoning tools that apply machine learning to audit processes.
“It’s like Euclidean in math,” Baer said. “You don’t go out and try to count every prime number. We accept the infinity of prime numbers as true. If you believe in math, we can think about it.”
Here is the full video interview, part of SiliconANGLE and theCUBE’s coverage of the AWS re:Inforce event:
(*Disclosure: Deloitte Touche Tohmatsu Ltd. sponsored this segment of theCUBE. Neither Deloitte nor any other sponsors have editorial control over the content on theCUBE or SiliconANGLE.)