• Chief Risk Officer. Auditors are still responsible for working cross-func-
tionally to help the organization understand and interpret compliance
requirements, to facilitate regular audits, and for representing the com-
pany with external auditors.
With that, what’s changed? From a regulatory and standards compliance stand-
point, nothing. The business is still responsible for ensuring its applications and
services remain compliant with applicable regulations and standards.
The big change, of course, is where your workloads are running. For the pur-
pose of this article, let’s say you are migrating your applications and data to
Amazon Web Services. No matter the reason for why you’ re moving to AWS, it
introduces significant challenges to achieving and maintaining compliance,
including:
• Experience. Most IT teams were assembled to build and maintain appli-
cations running in existing data centers. Moving to AWS means
re-training, trial and error, adopting a DevOps culture to truly automate
the pipeline, new tools, etc. It takes time to re-train a development team
to achieve a high level of competence and productivity. That dynamic
environment creates opportunities for controls to veer out of compli-
ance. Wouldn’t it be great if you knew when that happened?
• Configuration management and validation. One of the benefits of AWS
is the agility it introduces to the business. You can move more quickly
than ever before because it’s simply easier to spin services up and down
to test ideas. Automation is a beautiful thing! But a side effect of moving
quickly is often the loss of control as configurations and services change.
• New tools. CTP recommends a number of tools with our Minimum Via-
ble Cloud (MVC) design to help with security, configuration manage-
ment, and compliance. But these tools are likely new to the organization.
You need time to learn how to configure, test, run, remediate, validate
and document, before feeling comfortable that you have the right con-
trols and visibility in place to achieve and maintain compliance against
applicable standards and frameworks.
• Uncertainty. Will you be able to achieve the same level of visibility and
control over your environment, applications, services and processes as
you’ve had in the past? As senior leaders become more and more
accountable for compliance, the need to provide that executive level visi-
bility becomes more urgent. Uncertainty won’t cut it for long.
The implications of not dealing with these challenges head-on could be that
you are at a higher risk of being out of compliance and worse yet, not knowing
until you begin preparing for an audit in six months.
What happens next?
We encourage our clients to consider a continuous, data-driven approach by
SUMMER 2017 | THE DOPPLER | 23