By: Matt Wells, CTO & co-founder at Shujinko
Our world now looks very different now than it did one year ago. But despite the many significant changes wrought by Covid-19, much of the security and compliance world remains the same. Organizations still need to prepare for their security and compliance audit calendar, despite shrinking budgets and digital transformation projects that make their lives more difficult. The Shujinko team has spent dozens of years working in the compliance space and spoken with hundreds of CISOs and compliance managers in the past year. This is the first of three blog posts highlighting the biggest trends we see for enterprise compliance in 2021 and beyond.
Trend 1. Audit preparation becomes increasingly automated. There is a huge opportunity to improve the highly manual audit process via automation, and the accelerating move to the cloud will push more companies to explore that option sooner rather than later.
Ensuring compliance in the cloud is hard, especially for companies shifting existing mission-critical workloads from on-prem to the cloud. The two environments have very different security profiles and gathering the necessary technical evidence is harder because cloud environments change frequently. Companies preparing for audits must sink significant time and effort (hundreds of hours, every audit, across multiple requirements) into collecting a vast amount of technical data on information security controls and processes. Manually collecting data, taking screenshots, and organizing evidence takes that time away from cloud and DevOps teams that could otherwise be spent building new products or services. Because the cloud increases IT complexity (more services, more APIs, hybrid environments, etc.), the required resource investment actually gets worse over time.
But much of this data collection can be automated. We see three aspects of compliance audits that can be automated: evidence collection, evidence-to-control mapping, and cross-walking evidence across common control frameworks and between statutory, regulatory and contractual cybersecurity and privacy requirements.
For example, technical evidence in these categories can be collected by an automated evidence collection engine interrogating APIs.
- Identity and access management
- Storage encryption at rest
- Network segmentation
- Key management
- Inventory of systems and assets
- Vulnerability scans
- Firewall configuration
- Encryption certificates
- Encryption for data in transit settings
- Data backup configuration schedules
The data is also considered more complete and accurate from a compliance perspective than traditional screenshots, as it includes time stamps and other metadata to assert the methodology and processing integrity of the evidence collected. Automation of evidence collection can also be run ad hoc or scheduled to assess compliance drift over time.
Mapping is the act of taking a particular piece of evidence and associating it with a required control. If a particular piece of evidence – say, an information security policy – applies to multiple controls within a single audit, automated mapping can instantly complete all associations when the data is first uploaded, rather than making teams upload the same evidence multiple times.
Cross-walking is applying the same process to different security audits. Organizations build up a library of evidence when preparing for an audit. Many of those pieces of evidence might apply to controls in other regulatory frameworks or privacy requirements (SOC-2, ISO 27001, PCI DSS, NIST, etc.). By automating the cross-walking process, it’s possible for an organization to find itself already 60-80% complete on collecting audit evidence for subsequent requirements, simply by automatically re-using the data it has already collected. Provided, of course, that they have a single system of record for all enterprise compliance data.
Security and DevOps engineers used to spend hundreds of hours manually recording configuration data and taking screenshots to prepare for audits. Automation frees up those person-hours that can be spent on getting new features and products to market faster and makes it easier to update evidence for future audits. These savings, plus the increased complexity of managing compliance in the cloud, will lead enterprises to aggressively pursue automated solutions for the end-to-end audit prep process.
We’ll be posting major enterprise compliance trends #2 and #3 in the coming weeks, so keep an eye on this blog.