Zen and the Art of Acing Your Cloud Compliance Audit
Blog Article Published: 12/09/2014
By Mike Pav, VP of Engineering, Spanning by EMC We all know cloud adoption is rampant, even though cloud security remains a big concern; a recent study from CloudEntr showed that 89% of IT pros said they were worried about cloud security. While IT admins are busy ensuring compliance for sanctioned IT, shadow IT runs rampant, causing headaches they don’t even know they have. Because of this, the word “audit” often brings to mind the onerous thudding of storm troopers marching in. A heavy weight settles into the stomach as blood pressure spikes with a sharp intake of breath. But what if you could approach an audit with zen-like calm? Good news: it’s possible. It’s all about creating an audit-friendly culture within your company such that an auditor could walk in any time and you’d get a clean bill of health. Here’s how to do it:
- Understand the alphabet soup of regulations and frameworks. Which ones apply to your organization? What controls apply to you? The Cloud Security Alliance offers a Cloud Controls Matrix (CCM) that is a great place to get started.
- Embrace Shadow IT. Accept that shadow IT will exist whether you like it or not, and take the necessary steps to ensure that what you don’t know doesn’t hurt you the next time a compliance audit comes your way. First, you need to discover what rogue apps are being used to store or transmit company data. Then, you need to analyze each one for risk by evaluating the SaaS vendor using tools like the Cloud Controls Matrix or Skyhigh Networks’ risk assessment. Finally, you can either take the appropriate measures to secure these apps or find an alternative that satisfies the employees needs in terms of productivity and the company’s needs in terms of compliance.
- Build compliance into your company’s DNA. If we may modify the old saying a bit, live each day like it’s your last before the auditor arrives. Educate your entire staff about how using shadow IT might harm the well-being of the company, and build in audit-proofing as you create or revise processes.
- Move to the cloud - with your eyes wide open. Cloud providers have already done a lot of the security work for you, so they’ll have built-in protection better (and cheaper) than any you could build yourself in-house. But it’s important to understand what they have covered and what blanks are left for you to fill in. Before signing up for cloud services, put the provider through their paces in terms of security, and make sure that the security evaluation is SaaS-specific and not just reusing your on-premises checklist.