The Doppler Quarterly Summer 2017 - Page 25

• Chief Risk Officer. Auditors are still responsible for working cross-func- tionally to help the organization understand and interpret compliance requirements, to facilitate regular audits, and for representing the com- pany with external auditors. With that, what’s changed? From a regulatory and standards compliance stand- point, nothing. The business is still responsible for ensuring its applications and services remain compliant with applicable regulations and standards. The big change, of course, is where your workloads are running. For the pur- pose of this article, let’s say you are migrating your applications and data to Amazon Web Services. No matter the reason for why you’ re moving to AWS, it introduces significant challenges to achieving and maintaining compliance, including: • Experience. Most IT teams were assembled to build and maintain appli- cations running in existing data centers. Moving to AWS means re-training, trial and error, adopting a DevOps culture to truly automate the pipeline, new tools, etc. It takes time to re-train a development team to achieve a high level of competence and productivity. That dynamic environment creates opportunities for controls to veer out of compli- ance. Wouldn’t it be great if you knew when that happened? • Configuration management and validation. One of the benefits of AWS is the agility it introduces to the business. You can move more quickly than ever before because it’s simply easier to spin services up and down to test ideas. Automation is a beautiful thing! But a side effect of moving quickly is often the loss of control as configurations and services change. • New tools. CTP recommends a number of tools with our Minimum Via- ble Cloud (MVC) design to help with security, configuration manage- ment, and compliance. But these tools are likely new to the organization. You need time to learn how to configure, test, run, remediate, validate and document, before feeling comfortable that you have the right con- trols and visibility in place to achieve and maintain compliance against applicable standards and frameworks. • Uncertainty. Will you be able to achieve the same level of visibility and control over your environment, applications, services and processes as you’ve had in the past? As senior leaders become more and more accountable for compliance, the need to provide that executive level visi- bility becomes more urgent. Uncertainty won’t cut it for long. The implications of not dealing with these challenges head-on could be that you are at a higher risk of being out of compliance and worse yet, not knowing until you begin preparing for an audit in six months. What happens next? We encourage our clients to consider a continuous, data-driven approach by SUMMER 2017 | THE DOPPLER | 23