How to approach cloud compliance monitoring – TechTarget

Getty Images/iStockphoto
Failure to meet compliance requirements can result in expulsion from industry groups, hefty fines and, at worst, prosecution. Compliance monitoring is a critical practice, both on premises and in the cloud.
Compliance monitoring encompasses areas from the database to the network, and tasks from application updates to incident response. To build a cloud compliance monitoring strategy, first understand the regulations or standards that affect your business. Then, implement monitoring practices and tools based on your specific compliance requirements and the cloud platforms in use.
Every industry has regulations, as well as bodies that issue certifications and accreditations. Government entities enforce regulations and standards. To track these, a company’s legal department should have a list of applicable compliance standards. Some organizations include a compliance officer, and they may have an internal audit group as well.
Common compliance standards or regulations include GDPR, the Sarbanes-Oxley Act, HIPAA and PCI DSS.
Each compliance standard has an associated set of procedures that an organization must follow, as well as safeguards to apply. Cloud compliance monitoring is a matter of collecting and organizing data on these procedures and safeguards.
Compliance monitoring in the cloud requires a number of tasks, including:
One common strategy is to use the data collected by cloud and network monitoring tools to create a centralized view of compliance status across all these domains. This approach aligns well with current cloud and network monitoring practices.
To start a cloud compliance monitoring strategy, divide the tasks identified above. Some are design-time considerations. Here, an application will meet or fall short of compliance standards based on how developers build it. Others are run-time considerations, meaning the application requires surveillance during operations to validate compliance. The specific tools and procedures an organization applies to its cloud applications depend on how compliance requirements map to these categories.
Enforce design-time compliance standards into the development pipeline, and validate them through logging and version monitoring. The former requires a systematic way to initiate, execute, review, test and deploy cloud software. Teams must identify tools that enforce and document the requirements of each applicable standard. During application design and development, developers should insert event or logging triggers into code to make compliance events visible to monitoring tools.
Tools for software security and pipeline management, such as Veracode and Checkmarx, help enforce design-time compliance requirements. Tools that audit software and data practices, including Momentum QMS, Black Duck from Synopsys and Gensuite, can be helpful additions. They are not specific to a particular cloud platform. Compliance management tools that control how user accounts access cloud applications and resources may also be useful, such as with Active Directory, LDAP and application access control or zero-trust tools.
Cloud teams can use IT log and event management tools and practices to confirm design-time compliance. For example, log analysis can detect the completion of a records backup or a possible compliance violation via unauthorized access. The goal is to validate the practices established during application design, ensure their successful implementation, and identify anything missed or done incorrectly. Log aggregation, management and monitoring tools include products from Dynatrace, Sumo Logic, SolarWinds and many others.
Smaller organizations that lack IT management and monitoring tools should consider tools that combine monitoring and compliance-policy analysis. These have significant ease-of-use benefits. But they might only support certain standards and cloud platforms.
If a company’s compliance requirements are limited to common standards, such as GDPR or HIPAA, it’s fairly easy to find monitoring tools that will gather data from the cloud-hosted application and report on the findings in a standard, specific way. Some tools are specific to a cloud provider, such as Dash ComplyOps, which is designed for AWS. Other tools, such as Kion (formerly cloudtamer.io), offer broad compliance monitoring and mapping features, as well as cloud management capabilities. Kion supports specific compliance standards, along with generalized monitoring that organizations can relate to compliance standards through policies.
If you can’t find a cloud compliance monitoring tool that fits your requirements, use multiple cloud monitoring tools in concert to collect the proper information. Security monitoring is generally a component of compliance monitoring. General-purpose tools from IT vendors such as SolarWinds and NetApp usually work for this task. Logging tools from cloud providers or centralized logging tools often contribute compliance data beyond security compliance. Examples from cloud vendors include Amazon CloudWatch logs in its Centralized Logging service or Azure Monitor’s set of analytics and management capabilities. In these cases, organizations may need a manual process to assemble and interpret the collected data.
If a company uses a single cloud provider, the steps to gather and analyze data for compliance are fairly straightforward. In multi-cloud, and in some hybrid cloud deployments, organizations might need to monitor each cloud deployment independently and correlate the data through offline analytics tools.
Cloud commitments can change over time. Document all processes and the selection criteria used to pick tools and approaches.
Organizations require virtualization systems that not only support different types of applications but also simplify IT …
Virtualization brings cost benefits and saves time for IT teams that oversee ROBOs. Effective implementation requires cloud-based…
Admins often evaluate Xen vs. KVM as open source options. The main factors to consider in a primary hypervisor are organizational…
Data-at-rest encryption secures data all the way down to the storage level. Increase VM security in a couple of steps and …
VRealize Automation offers Custom Resources to enable a vRA user to create a variety of user objects to simplify management of …
Arm architecture brings benefits of energy efficiency as well as edge use cases. Read up on how to get the right ISO files and …
Folder redirection can support a virtual desktop environment with roaming profiles by providing users with consistency when it …
People running VMware’s virtual desktop on Samsung’s smartphones and tablets can access Windows on both the device and an …
Organizations with virtual desktops should plan out their profile management strategy, and one key component is profile …
Think you’re ready for the AWS Certified Solutions Architect certification exam? Test your knowledge with these 12 questions, and…
Amazon said its van monitoring system is designed solely for driver safety. But many industry experts have concerns regarding the…
Amazon would like to strengthen its global footprint, but the e-commerce giant faces roadblocks and challenges today that did not…
Key developments in the data center services market include smaller, more flexible deployments, AI optimization and a continuing …
IBM spinoff Kyndryl reported revenue was down in 2021, but expects three cloud partnerships and a focus on growing markets to …
In 2022, data centers will introduce a variety of new technologies. Expect a focus on hybrid cloud, solid-state storage, DCIM and…
It’s critical to know how to change the settings for protected accounts and groups in Active Directory to avoid serious problems….
The rapid pace of change in the modern workplace requires new methods to control who has access to what. This Azure Active …
With PowerShell automation coupled with the Azure REST API, it’s easy to build a script to create, power on and remove virtual …
All Rights Reserved, Copyright 2010 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source