Audits are stressful. If your organization is subject to regulatory compliance rules, chances are you’ve experienced firsthand how time-consuming and painful they can be. Preparing for and satisfying an audit is often a multi-month process with e-mails and documents flying between auditors, compliance officers, information security professionals, and the teams responsible for your infrastructure and applications. Even after successfully passing an audit, many organizations struggle with ensuring systems remain compliant. The problem is therefore twofold: how can you make audit preparation and execution more straightforward, and how can your organization ensure compliance is maintained between audits?
To solve both of these problems, your organization must have a way to continuously and automatically assess environments’ compliance at every stage of the development lifecycle all the way through to production. We call this capability continuous compliance. How do you best achieve this capability?
To understand the importance of continuous automation, Verizon’s Payment Security Report provides valuable context. The report focuses on organizations that had previously passed a PCI-DSS audit, and tracks how well they performed on interim assessments in preparation for their next audit. While trends have been improving year over year, the most recent report showed that in 2016, only 55% of organizations surveyed were shown to be compliant in their assessment, after previously passing an audit.
What’s more, those enterprises that failed their assessments have also seen their control gap, or the percentage of failing controls, has been growing over the same period. The widening control gap can have stark implications for organizations, who will need to budget more hours and resources to remediating those failed controls to bring themselves back into compliance.
This is an alarming, if not surprising trend. Cloud computing and container technologies have drastically lowered the barrier to being able to create and grow environments quickly, and customers in turn have come to expect faster and faster iteration. Every configuration change and application update brings with it the risk of impacting your compliance state. Conventional wisdom has dictated that the greater the rate of change in your organization, the greater your risk of invalidating your audits. This has left many organizations with an unenviable decision to make: do they slow down their pace of development and risk being outpaced by competitors, or do they increase their velocity and risk compliance slippage as a result?
Continuous automation provides a third option. Instead of sacrificing your rate of innovation or your compliance rigor, you can solve for both concerns by evaluating compliance continuously from early development all the way through production, ensuring that every change you make provides real-time feedback on its compliance impact. Chef recently conducted a survey where respondents were asked how they determine the current state of their compliance. Roughly half required ad-hoc evaluation of target systems, either manually or via a scanning utility. Nearly a third relied on reports from previously run audits. In either case, compliance slippage is all but guaranteed. Ad-hoc assessments provide only a snapshot of a subset of your systems, and don’t provide a complete picture if not run continuously across your environments. Similarly, historical audit data can only be fully trusted insofar as environments have remained static since the report was generated, something few organizations can take for granted.
By contrast, around 20% of respondents reported that they have the ability to automate compliance assessment with on-demand reporting across their environments. It should come as no surprise that roughly the same percentage of respondents reported that they’re able to assess compliance daily or better. By automating compliance assessment, you have the ability to evaluate your environments as often as changes are applied, ensuring you never lose sight of any impactful updates. Shifting compliance left, or applying controls earlier in the development lifecycle, ensures that impactful issues are detected early, where they can addressed before making their way into production in the first place.
Passing an audit is just the beginning of ensuring compliance is maintained on an ongoing basis. Automating your compliance evaluation gives you the ability to continuously scan environments, and validate that systems remain compliant over time, and that audit-impacting changes can be identified and remediated as soon as they occur. Continuous automation also ensures that you can prepare for future audits with confidence that your systems will pass regulatory muster.