Auditability — A litmus test for cloud adoption maturity

Auditability — A litmus test for cloud adoption maturity

Collaborating with a broad spectrum of businesses representing diverse sizes and domains for a prominent cloud provider like AWS reveals industry trends, notably cloud adoption strategies and maturity levels.

Applied actions provide a convenient perspective for adoption evaluation.

Materialised patterns appear driven by a blend of client preferences and best-practice recommendations. Interestingly, conventions do not always align with organisation size or domain. For example, numerous security measures are equally relevant regardless of classification. Forming a well-architected multi-account landing zone foundation for AWS usage is now a prerequisite. This arrangement supports efficient and effective control realisation irrespective of the number of accounts under management. Adoptin g AWS services such as AWS SecurityHub, Amazon GuardDuty, and Amazon Inspector is commonplace, as they perform vital functions like centralised security posture oversight, intrusion detection, and vulnerability scanning. Applied actions provide a convenient perspective for adoption evaluation. The focus is typically on preventative and detective controls, followed by mechanisms supporting automatic remediation as maturity levels increase.

Information is gathered and stored verbatim with little post-processing, contextualisation or insight.

One area not portraying as much emphasis as 'top of mind' concerns like security is auditability. The attention normally directed at platform observability, telemetry capture, and archiving per regulatory and compliance requirements partially address this non-functional factor. Information is gathered and stored verbatim with little post-processing, contextualisation or insight. This content requires manual scrut iny during an eventual assessment. For example, convention within AWS stipulates the definition of a centralised log archive account. This secure location houses log streams that originate from across a landing zone. These audit trails enable the retrospective review and forensic analysis activities but depict unedited 'raw' source material.

Maintaining an audit-ready posture denotes an evolution within the auditing domain. This form requires continual assessments that survey controls for information technology systems, regulatory compliance, accounting practices and operational procedures. In addition, the approach relies on technology to foster repeatable and fully automated processes with real-time verification and error checking. As a result, pursuant organisations stand to realise benefits like:

  • Simplify remediation processes via prompt detection of non-compliance, thereby reducing the risk of financial loss or reputational damage.
  • Maintain an audi t-ready posture that lessens audit process costs and improves efficiency.
  • Continual feedback loops focused on anomaly detection lead to control definition and application improvement.
  • Track Service Level Agreement (SLA) compliance through chronologically assessing and recording Service Level Indicators (SLIs).
  • Improve underlying monitoring process efficiency.
Anecdotal evidence suggests that adoption rates are low, thus potentially signifying a lack of process maturity.

To this end, AWS released a service called AWS Audit Manager nearly two years ago to aid ongoing appraisals. Yet, anecdotal evidence suggests that adoption rates are low, thus potentially signifying a lack of process maturity. AWS Audit Manager continually reviews AWS operations to simplify compliance and risk appraisal against industry standards and regulations. The service offers the following features:

  • AWS usage to control mapping — frameworks representing named groupings of controls that either automatically leverage AWS Security Hub, AWS Config, AWS CloudTrail, and AWS API calls as data sources or are manual. The tool serves both predefined and custom variants. Predefined frameworks denote prominent compliance standards and regulations such as General Data Protection Regulation (GDPR), System and Organisation Controls (SOC) 2, Payment Card Industry Data Security Standard (PCI DSS), and Health Insurance Portability or Accountability Act (HIPAA). Custom frameworks are created from scratch or by employing an existing instance. For example, there is no option for recurring Infosec Registered Assessors Program (IRAP) reviews. IRAP helps Australian Government customers validate control effectiveness and define suitable responsibility models for handling the requirements specified in the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). Using AWS Audit Manager, stipulating a custom framework to sustain the automated and manual aspects of a customer's unique IRAP provisions is easily achieved.
  • Control efficacy assessment — checks the operational effectiveness of controls depicting policies, procedures, and activities.
  • Evidence collection automation — saves time by automatically gathering proof demonstrating compliance status, thus eliminating the burden associated with traditional 'last-minute' manual efforts.
  • Optimised team collaboration — facilitates audit stakeholder cooperation, for example, by delegating control assessment to Subject Matter Experts (SMEs) for review.
  • Audit-ready report production — continual evidence collection and storage provides the information source required to produce audit reports for assessments. Each document b egins with a high-level overview incorporating a report summary and a synopsis of the assessment process that drove its composition, followed by a Table of Contents (TOC) for navigation. Selecting a hyperlink for a control within the TOC takes a reader to the corresponding section containing a detailed breakdown of its evidence. Links for automatically gathered evidence redirect to PDF files containing granular details, while those for manually assembled proof revert to S3 buckets holding supplementary information.
  • Evidence and report integrity assurance — secure access-controlled locations such as S3 buckets can store evidence and other audit-related artifacts. For example, the admittedly inadequately named Log Archive Account represents a logical destination for resultant audit reports. AWS Audit Manager also delivers report file checksums that assure disclosed evidence remains unaltered.
  • Review-related notifications —  generates notifications for workflow events like designating a control for review, as a delegate reassigns an inspected authority back to the audit owner, or when the audit owner closes the assessment. Notifications can be transmitted via email or to destinations like shared channels within collaboration platforms like Teams or Slack using AWS Simple Notification Service (SNS) topics.
  • Changelog for audit process tracking — records all appraisal activity for a given control. This audit trail logs actions like assessment creation, editing, completion or deletion, control set delegation for review, evidence uploading, control status changes and report generation.
Similarly, its features will continue to evolve as adoption rates increase.

AWS Audit Manager portrays an evolution in cloud adoption maturity as it relies on a well-formed AWS foundation and the appropriate use of services like AWS SecurityHub, AWS Config, an d AWS CloudTrail to sustain scalable governance and security controls. The service also integrates with complimentary features like AWS Backup Audit Manager, which supports maintaining and demonstrating data protection compliance within the context of the AWS Backup service.

AWS Audit Manager's functionalities will continue to evolve as adoption rates increase. For example, deficiencies exist in its interoperability with monitoring-related services like AWS Resilience Hub, which continuously tracks application response to failure in terms of metrics such as Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Resultant measures are pertinent for SLA compliance verifications. In addition, AWS Resilience Hub leverages another service called AWS Fault Injection Simulator (FIS). This Chaos Engineering facility offers pre-emptive simulations of real-world failures, confirming application behavioural expectations.

Auditability gains do not traditionally motivat e shifts to the public cloud. However, this quality attribute represents a natural expression of technology usage, form and governance.

Ironically, critically assessing maturity in this dimension indirectly appraises other more immediate concerns.

Originally published at https://www.linkedin.com.

Auditability — A litmus test for cloud adoption maturity was originally published in Towards AWS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author.

Comments

Post a Comment

Did you find the article or blog useful? Please share this among your dev friends or network.

An android app or website on your mind?

We build blazing fast Rest APIs and web-apps and love to discuss and develop on great product ideas over a Google meet call. Let's connect for a free consultation or project development.

Contact Us

Trending DevOps Articles

Working with System.Random and threads safely in .NET Core and .NET Framework

In this post I look at some of the ways you can misuse System.Random, comparing .NET Framework, NET Core, and .NET 6 implementations. In this post I look at some of the ways you can misuse System.Random for generating random numbers, specifically around thread safety. I start by showing how to use the built-in thread-safe Random generator in .NET 6. I then step back to previous .NET Core implementations, before the thread-safe Random generator was added, and show how to add your own. Finally, we take one more step back to .NET Framework, and look at he issues that arise there. tl;dr; If you're using .NET 6, then always use the static property Random.Shared if possible. If (like me) you need to support older version of .NET Core and .NET Framework, then read on! Generating random numbers from multiple threads in .NET 6+ It's a common requirement to be able to generate some sort of random number in .NET. If you don't need this to be a cryptographically secure ran...
Read more

Popular DevOps Categories

AWS Devops aws devops use cases best devops tutorial for beginners AWS DevOps Guru Azure Business Analytics DataOps DataOps Automation DevOps Interview Questions
Docker aws cdk application load balancer AWS CDK Application security AWS CDK application Application Load Balancers with DevOps Guru Auto scale group Automation Autoscale EC2 Autoscale VPC Autoscaling AWS Azure DevOps Big Data BigQuery CAMS DevOps Containers Data Observability Frequently Asked Devops Questions in Interviews GCP Large Table Export GCP Serverless Dataproc DB Export GTmetrix Page Speed 100% Google Page Speed 100% Healthy CI/CD Pipelines How to use AWS Developer Tools IDL web services Infrastructure as code Istio App Deploy Istio Gateways Istio Installation Istio Official Docs Istio Service Istio Traffic Management Java Database Export with GCP Jenkin K8 Kubernetes Large DB Export GCP Linux MSSQL March announcement MySQL Networking Popular DevOps Tools PostgreSQL Puppet Python Database Export with GCP Python GCP Large Table Export Python GCP Serverless Dataproc DB Export Python Postgres DB Export to BigQuery Sprint Top 100 Devops Questions TypeScript Client Generator anti-patterns of DevOps application performance monitoring (APM) aws amplify deploy blazor webassembly aws cdk application load balancer security group aws cdk construct example aws cdk l2 constructs aws cdk web application firewall aws codeguru reviewer cli command aws devops guru performance management aws service catalog best practices aws service catalog ci/cd aws service catalog examples azure Devops use cases azure devops whitepaper codeguru aws cli deploy asp.net core blazor webassembly devops guru for rds devops guru rds performance devops project explanation devops project ideas devops real time examples devops real time scenarios devops whitepaper aws docker-compose.yml health aware ci/cd pipeline example host and deploy asp.net core blazor webassembly on AWS scalable and secure CI/CD pipelines security vulnerabilities ci cd pipeline security vulnerabilities ci cd pipeline aws smithy code generation smithy server generator
Show more