Audits are an essential, albeit time-consuming, part of a company’s risk management strategy. Before the advent of cloud computing, compliance and audit teams had manual procedures and checklists to help keep everything under control.
Then came the cloud with its promise of speed and scalability. Impressive! With the exception of risk managers, whose physical, stable, on-site environment has transformed into an ever-changing virtual environment.
“One of the questions we often get as an auditor is, ‘How do you maintain a control environment for resources that weren’t there yesterday, but are there today?’” said Shariq Qurechi (pictured, right), senior executive at Deloitte Touche Tohmatsu Ltd.
Qureshi and Merritt Baer (pictured, left), Director, Office of the Chief Information Security Officer, at Amazon Web Services Inc., spoke with industry analyst theCUBE Dave Vellante at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s live streaming studio. They discussed the challenges the cloud has brought to the risk, compliance, and assurance space, and how Amazon Web Services Inc.’s audit manager can help manage them. (*Disclosure below.)
AWS automates security, compliance, and internal audit
The challenges of managing risk in a cloud environment go beyond its dynamic nature. There’s the ever-increasing onslaught of data to collect and prove effectively. And, of course, budgets haven’t grown with the workload. Siled teams waste time and money duplicating evidence sets, a problem exacerbated by overlapping global, regional and local regulations.
AWS Audit Manager automates the compliance and auditing process, relieving risk management teams of the endless task of trying to create consistency of controls in an inconsistent multicloud environment.
“The Audit Manager is a one-of-a-kind service,” Qureshi said. “It is specifically tailored and tailored to the second line function, which is security and compliance, and a third line function, which is internal audit.”
Deloitte is a global leader in audit, risk management and assurance consulting and advisory services. the company immediately given the potential in AWS Audit Manager and guides customers through the design, implementation, and ongoing management of control frameworks in Audit Manager customized for each company’s unique security and compliance requirements.
“Just like a mapmaker has a map to see all of what they’re designing, Audit Manager does the same thing from a cloud perspective,” Quereshi said.
Most companies have multiple frameworks for SOC-2, GDPR, HIPAA, and other regulatory requirements. These are integrated with Audit Manager, allowing organizations to choose one and assess their cloud consumption and where they stand in terms of control posture and security hygiene against it. A recently added feature allows users to pull APIs from third-party sources.
“So now you’re not just looking for one cloud provider; you look at your entire digital ecosystem of services, your tools, your SaaS solutions that you use to get a full and complete picture of your environment,” Qureshi said.
According to Baer, Building Audit Manager was not a straightforward process.
“It’s not a snap of the fingers,” she said. “It takes work to translate between the listeners and us [at AWS]; and it also takes work for clients to understand how they can improve their compliance thinking,” she said.
Some of the processes are traditional, such as checking internet-connected devices and pruning permissions, but Audit Manager includes automated reasoning tools that apply machine learning to audit processes.
“It’s like Euclidean in math,” Baer said. “You don’t go out and try to count every prime number. We accept the infinity of primes as true. If you believe in math, then we can reason about it.
Here’s the full video interview, some of SiliconANGLE and theCUBE’s coverage of the AWS re:Inforce event:
(*Disclosure: Deloitte Touche Tohmatsu Ltd. sponsored this segment of theCUBE. Neither Deloitte nor other sponsors have editorial control over the content of theCUBE or SiliconANGLE.)