Proactive Compliance is a daily job
When moving to a cloud provider, and especially when serverless infrastructure is embraced, auditing becomes a much greater responsibility. The number of services and infrastructure pieces in use grows drastically and embracing many of these services is critical to a successful cloud migration. Relying only on basic services like EC2 and S3 without using higher level services leaves a lot of possible cost and productivity improvements on the table.
Proactive auditing
Auditing also needs to be proactive and not just on a reactive timeline. Having external companies come in for pen-testing every year and auditing the existing infrastructure just isn’t a solution to todays cloud infrastructure security needs. Its definitely part of the solution, but only one part of it.
Through Infrastructure as code we need to already have a reviewable definition that can be checked through tooling. Any change in infrastructure should be checked, equally as we would run tests on every change in our application code. Those checks are our first line of defense. After changes have been merged and deployed through an automated pipeline our cloud provider auditing takes place.
AWS Audit Manager
Through tools like AWS Config or Azure Policy we can get an inventory of our cloud resources. We’ll talk about how this inventory can be useful in future posts. On top we have to put rules in place to evaluate our inventory to make sure all resources are compliant. Now that we know about our compliance, the tricky thing is to communicate this compliance correctly as well.
Too often I’ve seen teams that have this information in their systems, but the information isn’t used for internal discussions, because it isn’t collected regularly. Services like AWS Audit Manager help here by collecting any compliance data into a digestable format that can be forwarded and shared with teams and leadership.
Summary
This creates a common understanding of where issues are, in order to be able to prioritize them. Through pipelines and automated tooling, it makes sure to detect issues as early as possible. As in the past, compliance was something which was done only every couple of months, today it should be embedded into daily work in the cloud by being integrated and proactive.
If you have any questions on this topic, our experts will be happy to help you.
