No matter where your organization is on your journey to compliance, the costly and time-consuming challenges of meeting security regulations and frameworks are universal. So how can we lift the burden of achieving and maintaining compliance? Through technologies and partnerships that help to automate, navigate, and accelerate the process.
Ian Hutchinson, VP of Sales at DuploCloud, sat down with Cheryl Cage and Anna Kropf on the Security and Compliance Partner team at Amazon Web Services (AWS) to learn more about how the Compliance Alliance and AWS’ Global Security and Compliance Acceleration (GSCA) program help to move organizations forward in their security and compliance journeys.
Tell us about the Compliance Alliance and AWS’ Global Security and Compliance Acceleration (GSCA) program.
The Compliance Alliance is a group of partners that share their expertise and customer stories to help to move organizations forward on their security and compliance journeys. The Global Security and Compliance Acceleration (GSCA) program supports, enhances, and accelerates AWS’ customers ability to meet regulatory compliance standards globally.
What are some of the challenges that organizations face when they’re looking to meet a regulatory framework?
Here are the three most common challenges that AWS customers encounter:
Costly external resources, including consultants and third-party auditors
Bandwidth constraints for internal team members
An incredibly lengthy timeline that can stretch up to two years
How does compliance tie in with AWS?
AWS is continuously audited and maintains certifications and accreditations across the globe. When systems are built in the AWS cloud, its customers share those compliance responsibilities. Some controls can be inherited from AWS, some are shared, and some are solely the customers’ responsibility. Therefore, customers must understand which components they’re responsible for within the scope of their environment.
For an organization that’s new to the regulatory world, what accreditations should they start with?
Here are some key considerations for any organization that’s embarking on its compliance journey:
What is your industry’s regulatory environment, and what do you need to adhere to?
What is your customer base requesting?
What are your competitors accredited in?
What are your objectives around security and marketing for your organization?
Tell me about the security and compliance resources that are available for early-stage organizations.
Some of the resources that AWS recommends to their customers include:
The AWS Startup Security Baseline (AWS SSB) provides prescriptive guidance on a minimized set of controls that an early-stage startup can utilize for AWS
The AWS Well-Architected Tool is a framework built around six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability
The Center for Internet Security provides a set of benchmarks and controls around AWS
Tell me about the security and compliance resources that are available for more mature organizations.
The AWS Foundational Technical Review is a free self-service review for organizations that join the AWS partner program. It’s a comprehensive self-assessment, combined with an AWS validation, of your SaaS workload.
What is a compliance roadmap and how can early-stage organizations get started?
There are several industry-accepted standards and frameworks that can help you build a strong security foundation. One that AWS recommends as a starting point for small businesses is CIS Controls, which can help you build up your security posture while mapping to all the other frameworks. NIST also provides a great structured approach to building your compliance program.
What are the benefits of continuous compliance, and what AWS services can help organizations automate it?
Continuous compliance is a proactive approach to maintaining requirements set by frameworks and regulations across your business. It involves four steps: monitoring, detection, remediation, and reporting. Some of the benefits of continuous compliance are:
Keeping your organization compliant in real-time
Enhancing your security
Significantly reducing your effort in approaching audits
Improving your organization’s reputation
There are a number of AWS services that are valuable in automating continuous compliance, including AWS Config and AWS Config Conformance Packs, which allow you to continuously evaluate your compliance posture against your technical controls.
How can organizations speed up the amount of time it takes to achieve compliance?
Organizations can speed up compliance by utilizing partners, like those who are part of the Compliance Alliance. These industry leaders can help customers achieve compliance faster and reduce the burden of maintaining it.
What’s the hardest part about achieving and maintaining compliance?
When it comes to compliance, the hardest part is the volume and implementation of regulatory changes. Whether you’re targeting specific industry verticals or international customers, entering new markets requires continuous education about the latest compliance and regulatory standards. That’s where AWS’ partners come in to help customers navigate and accelerate the process.
What’s the secret sauce for organizations that are doing compliance well?
Customers who are doing compliance well are automating their processes, minimizing the human factor and manual efforts by leveraging third-party technology like DuploCloud’s all-in-one DevOps automation platform. They’re accelerating the audit process and continuously maintaining compliance with security regulations and frameworks.