“A haze rested on the low shores that ran out to sea in vanishing flatness. The air was dark above Gravesend, and farther back still seemed condensed into a mournful gloom, brooding motionless…”
— Joseph Conrad, Heart of Darkness
Like a boat on calm waters, the cloud can make your IT operations seem like smooth sailing. No servers to manage, no updates to deploy. Just show up, look captain-like, give some orders here and there, and let the azure sea take us lightly into port.
But the tides can change if you’re not maintaining close and continuous awareness of your cloud and its security posture. It can get a little rough out there. Some inadvertent misconfigurations appear, or maybe you discover that you’ve been operating with the default settings on your HR app, or other systems of record. Turns out, some of these kinds of mistakes can result in private data being exposed, and put you out of compliance with compliance controls.
All of a sudden, the rogue waves of cloud compliance can come crashing onto your decks in an untenable fashion. For every hole you plug, you discover a new resource that’s been launched into your cloud environment that needs to be configured and integrated. Before you know it, you’re going down below only to find that you’re taking on water, and the already turbulent waters continue to drench your efforts to stay afloat.
At this point, a unique creature can can rear its ugly head, and in a way no one is prepared for. With his NIST spreadsheets and manila folders, he creeps along your decks while system admins and cryptographers alike gasp. The Auditor from the Black Lagoon! He shows up prepared, too. Knowing every line of ISO 27001 the ability to immediately recognize where you are out of compliance. Fear is likely to take hold, but the auditor brings a reality that was actually created by you in the first place.
The auditor’s job is to make sure that the ship is seaworthy. In the course of standard operations, you’re likely sailing through often rough and choppy water, and your ship will sustain some dings. If you’re not monitoring the state of your ship on a consistent basis, you can miss the fact that you have rips in your sails, cracks in your jib and holes in your hull. By the time the auditor appears, you probably already have too many issues, and you need to pull into port, drop anchor, and stop making forward progress to our destination.
A cloud environment can get into dark waters if there are compliance lapses and you build up too much of a compliance backlog. And if reporting isn’t easily available then you’re undoubtedly in for some major problems. Auditors want validation that you’ve identified and made attempts to rectify issues. It’s important that they can see how you’ve operated and how you’re creating processes to improve your overall security posture. From there, they will work with your crew to create a reasonable Plan of Action and Milestone Template (POAM) that will help to bail you out.
Auditors will always make an appearance in your compliance and security operations, but they don’t have to be a scary presence. If you have a way to monitor your ship continually, you can fix those rips in your sails and patch the holes in your hull as you find them. Auditors want to see that things are ship-shape, and if repairs are noted in the Captain’s log and easily accessible then you’ll hopefully get faster and easier validation that your ship and your ship’s crew is prepared to weather even the most challenging storm.
Be ready for your next commission. Implement a solution that automates compliance in the cloud, provides one-click reporting, and facilitates faster remediation. You and your crew will be back on the high seas in no time and you’ll be able to leave this auditor behind.