Getty Images/iStockphoto
How to approach cloud compliance monitoring
Compliance monitoring is a critical practice. Learn how to build a cloud compliance monitoring strategy from application design and development to ongoing operations.
Failure to meet compliance requirements can result in expulsion from industry groups, hefty fines and, at worst, prosecution. Compliance monitoring is a critical practice, both on premises and in the cloud.
Compliance monitoring encompasses areas from the database to the network, and tasks from application updates to incident response. To build a cloud compliance monitoring strategy, first understand the regulations or standards that affect your business. Then, implement monitoring practices and tools based on your specific compliance requirements and the cloud platforms in use.
Understand compliance requirements
Every industry has regulations, as well as bodies that issue certifications and accreditations. Government entities enforce regulations and standards. To track these, a company's legal department should have a list of applicable compliance standards. Some organizations include a compliance officer, and they may have an internal audit group as well.
Common compliance standards or regulations include GDPR, the Sarbanes-Oxley Act, HIPAA and PCI DSS.
Each compliance standard has an associated set of procedures that an organization must follow, as well as safeguards to apply. Cloud compliance monitoring is a matter of collecting and organizing data on these procedures and safeguards.
Key monitoring tasks
Compliance monitoring in the cloud requires a number of tasks, including:
- application-access monitoring
- database protection and surveillance
- application change management
- incident management and escalation
- network monitoring and security
- log monitoring and management
One common strategy is to use the data collected by cloud and network monitoring tools to create a centralized view of compliance status across all these domains. This approach aligns well with current cloud and network monitoring practices.
To start a cloud compliance monitoring strategy, divide the tasks identified above. Some are design-time considerations. Here, an application will meet or fall short of compliance standards based on how developers build it. Others are run-time considerations, meaning the application requires surveillance during operations to validate compliance. The specific tools and procedures an organization applies to its cloud applications depend on how compliance requirements map to these categories.
Enforce design-time compliance standards into the development pipeline, and validate them through logging and version monitoring. The former requires a systematic way to initiate, execute, review, test and deploy cloud software. Teams must identify tools that enforce and document the requirements of each applicable standard. During application design and development, developers should insert event or logging triggers into code to make compliance events visible to monitoring tools.
Tools for software security and pipeline management, such as Veracode and Checkmarx, help enforce design-time compliance requirements. Tools that audit software and data practices, including Momentum QMS, Black Duck from Synopsys and Gensuite, can be helpful additions. They are not specific to a particular cloud platform. Compliance management tools that control how user accounts access cloud applications and resources may also be useful, such as with Active Directory, LDAP and application access control or zero-trust tools.
Cloud teams can use IT log and event management tools and practices to confirm design-time compliance. For example, log analysis can detect the completion of a records backup or a possible compliance violation via unauthorized access. The goal is to validate the practices established during application design, ensure their successful implementation, and identify anything missed or done incorrectly. Log aggregation, management and monitoring tools include products from Dynatrace, Sumo Logic, SolarWinds and many others.
Tools for cloud compliance monitoring
Smaller organizations that lack IT management and monitoring tools should consider tools that combine monitoring and compliance-policy analysis. These have significant ease-of-use benefits. But they might only support certain standards and cloud platforms.
If a company's compliance requirements are limited to common standards, such as GDPR or HIPAA, it's fairly easy to find monitoring tools that will gather data from the cloud-hosted application and report on the findings in a standard, specific way. Some tools are specific to a cloud provider, such as Dash ComplyOps, which is designed for AWS. Other tools, such as Kion (formerly cloudtamer.io), offer broad compliance monitoring and mapping features, as well as cloud management capabilities. Kion supports specific compliance standards, along with generalized monitoring that organizations can relate to compliance standards through policies.
If you can't find a cloud compliance monitoring tool that fits your requirements, use multiple cloud monitoring tools in concert to collect the proper information. Security monitoring is generally a component of compliance monitoring. General-purpose tools from IT vendors such as SolarWinds and NetApp usually work for this task. Logging tools from cloud providers or centralized logging tools often contribute compliance data beyond security compliance. Examples from cloud vendors include Amazon CloudWatch logs in its Centralized Logging service or Azure Monitor's set of analytics and management capabilities. In these cases, organizations may need a manual process to assemble and interpret the collected data.
If a company uses a single cloud provider, the steps to gather and analyze data for compliance are fairly straightforward. In multi-cloud, and in some hybrid cloud deployments, organizations might need to monitor each cloud deployment independently and correlate the data through offline analytics tools.
Cloud commitments can change over time. Document all processes and the selection criteria used to pick tools and approaches.