Native tools versus open-source tools
There are two broad categories of tools available to secure cloud services. The two categories are native tools offered by cloud service providers and open-source security tools. The AWS platform is more mature than Azure and GCP. As a result, AWS has more native tools for performing audits. With native tools, you can get better integration and performance. However, you forgo portability as native tools are tied to a specific cloud provider.
On the other hand, open-source tools provide more flexibility and less dependence on proprietary cloud platforms. However, they may be more complex to integrate. Organizations should weigh their use cases and determine what approach to take. Ultimately, the decision regarding what type of tools to use to secure your cloud services will depend on the specific cloud architecture and the nature of the cloud customer’s security needs.
Now that we’ve reviewed a list of frameworks and tools to help with auditing, let’s discuss automating compliance.
Leveraging policy and compliance automation
Cloud deployments are very dynamic for organizations to rely on manual resources. Given the complexity and scale of the platforms on the cloud, it can be a challenge for the teams to manually apply or validate security and compliance policies. As a result, there are numerous opportunities for the IT auditor to leverage automation to assess and enforce policy and compliance in the cloud. Cloud automation is the use of automated tools and processes to execute workflows in a cloud environment that would otherwise have to be performed manually.
One tool an IT auditor can utilize to monitor changes in a cloud customer’s cloud is Terraform Enterprise. Terraform Enterprise has a product named Sentinel. Sentinel has the functionality to ensure an organization’s code against infrastructure aligns with specific policies. This idea is called Compliance as Code or Policy as Code.
With Compliance as Code, controls and policies are agreed to and defined in a tool such as Sentinel. Sentinel will constantly monitor the applications for changes. Any change is evaluated and checked according to the compliance rules. If Sentinel detects that an application violates a compliance rule, it triggers another action or modifies the application back into a compliant state.
As an example of Compliance as Code, imagine a company that is subject to PCI regulations. Requirement 4 of PCI mandates an organization to “Protect Cardholder Data with Strong Cryptography during Transmission over Open, Public Networks.” The organization has a standard to implement Transport Layer Security (TLS) 1.2 or newer for data in transit, which is a strong cryptographic standard.
The organization can then write a policy in Sentinel that evaluates whether there are any protocols older than TLS 1.2 running on the organization’s systems. If a violation is found, Sentinel triggers an alert, allowing the IT auditor to monitor this control.
Further details on implementing Terraform Enterprise can be found in Chapter 10, Walk-Through – Assessing Change Management, Logging, and Monitoring Policies.
Summary
In this chapter, we reviewed some key common elements to know about while preparing to perform an effective audit within a cloud environment. Our goal was to ensure you have the frameworks, techniques, and tools at your disposal to build confidence in your enterprise cloud auditing. Knowing and understanding these key elements prepares you for success, provides you with information to be proficient and efficient in your evidence gathering, and potentially reduces the time it takes to complete an audit program. We learned about the preparation steps and frameworks to perform a cloud audit, the established tools that are either natively available or open-source and will help you efficiently collect testing evidence, and the opportunities that exist to automate compliance enforcement and assessment.
The information we discussed in this chapter has hopefully equipped you so that you can begin establishing an audit program playbook using widely available resources. Now that we have reviewed the techniques to get started with an enterprise customer cloud audit, in the next chapter, we will dive deeper into one of the premier areas for compliance assessment – Identity and Access Management.
