If you provide cloud managed services for your customers, then compliance shouldn’t only be on your clients’ minds. Ensuring a cloud environment that aligns to regulatory standards is critical for stakeholders in their organizations — and your own.
Each year, there are new regulations to follow and old regulations that still require compliance. Whether this is a customer’s first audit or tenth, there is always room to improve. As their service provider, you can help the customer ensure that their cloud environment remains secure, compliant, and audit-ready at all times.
Develop Your Cloud Security and Compliance Checklists
Auditors ensure that information is properly safeguarded, so that customers don’t face penalties for non-compliance. They are there to verify that this data is not exposed to data theft or other cybersecurity risks. Your role as service provider is to help stakeholders view the audit not as a punishment but an opportunity to demonstrate the value of the cloud in their business operations.
When it comes to security and compliance in the cloud, the technology you have in place can be a valuable resource for your clients. Some audits, like HIPAA, expect to see you continually improving your security posture each year. Having a cloud management tool in place like CloudCheckr CMx will give you a “scoreboard” for your customers’ compliance across many regulatory standards. This scoreboard should help your customers show their auditors that they are continuously working to improve the security and compliance posture of their environment. Moreover, since several regulations overlap in audit requirements, you can use these dashboards and reports to help you perform each audit without needing to duplicate work.
You might find that your customers feel unprepared, like they don’t know what to do, when it comes time for a new audit. As their service provider, you can help them develop a robust cloud security and compliance strategy. Here are five cloud security and compliance checklists you can use to help your customers keep track of evidence, harden their environments, retain crucial logs and records, protect sensitive data, and review access:
Have Evidence Available for All Artifacts
In preparation for the audit, your customers will need a controlled, easy-to-access place to manage artifacts. There are many tools on the market. Pick one and organize artifacts by the request ID. For instance, if “Verify HTTPS is used on Web Servers” is HIPAA SEC1.0.5, then your document or screenshots pertaining to that request should be named HIPAA SEC1.0.5-NGINXConfig or HIPAA SEC105_Findings.
All stakeholders involved should make it easy for auditors to validate their compliance without having to hunt for answers. If the auditors are unsuccessful in finding proof, they may just mark the item unresolved. Have your customers build an accountability spreadsheet to track who owns the artifact, where it is located, when it was last updated, when it was delivered to the auditor, etc. Once they’ve received the list of requests from auditors, it will become difficult to track if they haven’t methodically accounted for all actions.
- Keep track of artifacts and prepare to reuse them. Auditors may request them again later.
- Store documentation in a place that leverages access control and revisions.
- Develop a naming convention for evidence based on the control/request/article, etc. Make it easy for stakeholders and the auditor to match up compliance.
- Get as much data as possible to the auditor before they begin. It will impress them and set the precedent that security and compliance are high priorities!
- Use a progress tracking sheet, or a “legend,” for the audit. Don’t rely on emails and status reports to track progress. Don’t expect the auditors to do it for the customer! It is their job to verify the data, but it is the job of you and your stakeholders to get it to them.
- Ensure that customers have detailed archiving in place, ideally several years back, to ensure that they can stay audit-ready in the future.
Harden the Cloud Environment to Rigorous Standards
Now let’s dig in deeper. The real trick to technical compliance is automation and predictable architecture. Without them, you’d have to verify technical controls each time.
Here are a few best practices your clients should follow to ensure that their environments are hardened against rigorous security and compliance standards:
- Install all security patches and have an easy way to show patches installed.
- Scan your servers and cloud for vulnerabilities (at least quarterly).
- Remediate vulnerabilities within a reasonable timeframe in an automated way, e.g., criticals within 96 hours, highs within two weeks, mediums within 60 days, lows within 90 days, and use Puppet or the configuration management tool of choice. Unresolved criticals and highs will set off big alarms with the auditors.
- Bake hardening and patches into images. When servers come up, they should be security- and compliance-“ready.”
- Build integration testing into your security if you don’t already have it, lest your regression testing be painful.
- Allow least privileges on ports in firewalls, network ACLs, security groups, iptables/firewalld, Windows Advanced Firewalls, and the like. Use Infrastructure as Code if and whenever possible.
- Use industry guides to help you harden.
- Don’t shoot for 100 percent up front but make reasonable progress. This is what auditors expect to see.
- Use tools to help you scan and harden.
- Keep a compliance dashboard.