AWS Cloud Enterprise Strategy Blog

3 Benefits of Automating Compliance in the Cloud

“It takes 20 years to build a reputation and five minutes to ruin it.” — Warren Buffett

I’ve supported compliance and security requirements throughout my technology career. In some cases, these requirements were extremely burdensome — for example, when my team was preparing for a Department of Defense audit, which consumed more than 50% of our time for months on end. But, in almost every case, I was able to promote the use of automated solutions to make our lives easier, while enhancing our security and compliance posture as well. And today, moving to the cloud offers you the potential to significantly improve your compliance efforts without an equally significant increase in personnel and cost.

Let me explain –

Compliance officers are typically charged with assessing and managing risk to the financial, organizational, and reputational standing of an enterprise. This is a tall order in an enterprise setting because of the complexities inherent in people, processes, and technology plus the regulatory variations across industries and geographic regions.

There’s also a natural tension between the business and compliance. Businesses must innovate their products and improve the customer experience. The compliance team, on the other hand, is focused on limiting or preventing risk exposure, which can be at odds with introducing new products and features. That’s why the compliance team often seeks to maintain the status quo. The bottom line is that the natural tension between business and compliance — while healthy at times — can strain relationships and frequently results in increased costs, and slower time-to-market.

Typically, the compliance team engages in an annual compliance assessment, writes a report, and sets goals for remediation. The business and technology teams are then presented with timelines in which to remediate any findings. Product managers and technology leaders understand the importance of compliance, but they often regard the assessment as an “exercise” and a distraction from generating value. For their part, business leaders dread the findings of the annual compliance report because they believe that these “non-functional” requirements will redirect resources to something that’s not on the strategic roadmap for the next few quarters. Furthermore, compliance is frequently addressed as an afterthought in the development process. Unfortunately, however, experience tells us that, left unattended, compliance issues can eventually turn into technical debt.

Even though the compliance process is often perceived as onerous, the outcomes can add meaningful value to the customer. Indeed, informed by legal and ethical considerations, compliance should be seen as a measure of quality that ensures a great customer experience, especially if the review encompasses security, reliability, and responsiveness. Your cloud strategy can play a major role here — by transforming the relationship between business and compliance stakeholders and, thus, improving the outcomes for your enterprise and its customers. More specifically, by including compliance requirements early in the product or service lifecycle, you can ensure that you meet policy and regulations objectives, while improving your value proposition.

Here’s how –

First, there’s an immediate savings in moving to AWS. During my own journey to the cloud, I realized that the AWS Shared Responsibility Model was our friend. In the old days, we had to manage the physical infrastructure in order to ensure regulatory compliance. This caused additional delays when we had to procure hardware to support technology initiatives. It also invariably increased our operational burden, because it usually meant more work for the infrastructure team without additional staffing. By moving our workloads into the cloud, we shifted the responsibility for maintaining a secure and compliant physical infrastructure to AWS, bringing to bear resources and expertise that we could never have provided ourselves. Put another way, we were able to grow our capabilities, while decreasing the surface area we had to secure on our own. This freed up time for our operations team to focus on other value-added work, such as creating additional automation.

AWS Shared Responsibility Model

Second, shifting workloads to the cloud encourages greater automation. Environments can be deployed based on standardized and approved templates, which can then be version-controlled. This concept is known as “infrastructure-as-code,” and the security and compliance benefits are profound. When infrastructure is managed as code, infrastructure can automatically be validated using scripts that ensure security best practices are followed. AWS also supports defining compliance rules in AWS Config that can be automatically verified. As a result, when automation is leveraged, the compliance team can validate legal and security requirements every time the system is changed, rather than relying on a periodic system review. In addition, compliance and security test automation can be pushed into the software development process with the potential to prevent policy violations before they are deployed into production. Lastly, findings can be captured in a daily report and sent to a ticketing system that assigns the problem to a specific individual or even triggers an automated remediation response. Capital One, for instance, has developed a rules engine called Cloud Custodian that it uses to define and programmatically enforce policies in its cloud platform.

And third, when the automated process or manual review identifies a problem, the remediation can be much easier to deploy. In the case of an infrastructure vulnerability, for example, the infrastructure template can be modified in code and will automatically be applied for all future implementations. If the problem exists in an application, the risk might be mitigated either by deploying a fix to the application, or by implementing a compensating control, such as adding a rule to the AWS Web Application Firewall.

Over time, your cloud strategy can foster a proactive culture of compliance that regards compliance and security as value-added customer-centric activities. You’ll reach this milestone when your product team includes compliance requirements as user-stories in the product backlog, or when developers routinely add compliance-related tests to their software development process.

Let me know if you’ve automated your compliance process in AWS, or if you’d like to learn more about this topic. In the meantime, here are some additional resources that might be helpful —

Automating Governance on AWS

How to Monitor AWS Account Configuration Changes and API Calls to Amazon EC2 Security Groups

Introduction to DevSecOps on AWS — Slideshare

AWS re:Invent 2016: Compliance Architecture: How Capital One Automates the Guard Rails

Until next time,

– Thomas

Thomas
thoblood@amazon.com
@groberstiefel