Proactively Monitor Your Data Compliance Across Cloud Environments

Gautam Kanaparthi
April 12, 2023
Proactively monitoring regulatory compliance posture is a core piece of the holistic data security program. Migration of data workloads to the cloud has led to rapid data proliferation as well as sprawl of data access and privileges, making it challenging for infosec and GRC teams to stay on top of the compliance posture. With the increasing scrutiny from regulatory bodies, stricter enforcement of compliance controls combined with larger financial penalties for violations, uncovering compliance violations faster is a key need for every organization.

However, at many organizations we speak with, compliance assessments and associated activities such as access audit are done manually involving multiple team members over many weeks. While the task of assessment may be achieved this way, it is time consuming, error prone, and quickly gets out of date given how fast things change in the cloud.

Built-in compliance checks

Normalyze now supports automated and continuous assessment of compliance posture across many regulatory benchmarks and best practices frameworks.

The Normalyze security research team has evaluated a variety of compliance frameworks, reviewed each individual control within the framework, identified which of these controls are applicable for the cloud and can be verified programmatically (not just policy based), and built risk checks (rules/policies) within the Normalyze product. 

The number of risk checks available in the product today is over 500, with new checks added every week. The frameworks supported today include: NIST 800-171, NIST 800-53, NIST-CSF, NIST Privacy Framework, GDPR, HIPAA, SOC2, AWS CIS, GCP CIS, Azure CIS, etc.

Continuous and automated compliance assessment

The Normalyze risk scan runs every 15 minutes for all monitored cloud and data assets. Any violation – flagged as a risk in product – is tagged with the applicable compliance framework as well as the individual control that has been violated, so infosec/GRC analysts know right away the impact of this violation on the compliance posture.

Normalyze also provides an executive summary of compliance posture to give security and GRC management a birds-eye view of compliance across their environment. As shown above, this compliance posture can be viewed by monitored account (e.g. prod vs. staging), by individual cloud resource, and by resource tag.

For example, if a customer has tagged any resource that deals with PII data in their environment, they can view the compliance posture of this group of resources by viewing Normalyze’s assessment for the specific tag used.

This continuous and automated assessment removes any scope of manual error and eliminates the need for time consuming manual evaluation. 

Integrated with existing workflows

Similar to other risks detected by Normalyze, all compliance violations also have actions available for analysts to trigger notifications (via email, Slack, etc.) and tickets in ITSM tools such as JIRA. Automations supported by the Normalyze platform today are also available for compliance violations; rules could be created for such violations by tag (e.g. SOC2, NIST 800-171) to ensure that all application violations are automatically queued – via ITSM tools – for the appropriate team to address with priority. 

As with other Normalyze risks, such compliance violations will also have guidance on remediation steps along with commands to run in the cloud environment for resolution.

Try Normalyze in Your Environment!

If this news of automated cloud compliance assessments sounds helpful, we invite you to try Normalyze for free in your own environment. Sign up for our Freemium. Setup takes just 10 minutes, after which you can see for yourself how the power of Normalyze will provide your security teams with 100 percent visibility and control of cloud-resident sensitive data.

Gautam Kanaparthi

Gautam is the Head of Product at Normalyze. He is passionate about building and scaling market-changing cybersecurity products. At Netskope, Gautam built multiple products from the ground up to help the company address new customer problems, including Nextgen Secure Web Gateway, Advanced Analytics, and Malware Scanning. Before Netskope, he was the principal product manager for Symantec Endpoint Security.

FEATURED

Gartner® Innovation Insight: Data Security Posture Management

FEATURED

DSPM-chat-Richard Stiennon-Ravi-Ithal-Normalyze
Improve Cloud Security: Dark Reading Interviews Ravi Ithal