However, at many organizations we speak with, compliance assessments and associated activities such as access audit are done manually involving multiple team members over many weeks. While the task of assessment may be achieved this way, it is time consuming, error prone, and quickly gets out of date given how fast things change in the cloud.
Built-in compliance checks
Normalyze now supports automated and continuous assessment of compliance posture across many regulatory benchmarks and best practices frameworks.
The Normalyze security research team has evaluated a variety of compliance frameworks, reviewed each individual control within the framework, identified which of these controls are applicable for the cloud and can be verified programmatically (not just policy based), and built risk checks (rules/policies) within the Normalyze product.
The number of risk checks available in the product today is over 500, with new checks added every week. The frameworks supported today include: NIST 800-171, NIST 800-53, NIST-CSF, NIST Privacy Framework, GDPR, HIPAA, SOC2, AWS CIS, GCP CIS, Azure CIS, etc.
Continuous and automated compliance assessment
The Normalyze risk scan runs every 15 minutes for all monitored cloud and data assets. Any violation – flagged as a risk in product – is tagged with the applicable compliance framework as well as the individual control that has been violated, so infosec/GRC analysts know right away the impact of this violation on the compliance posture.
Normalyze also provides an executive summary of compliance posture to give security and GRC management a birds-eye view of compliance across their environment. As shown above, this compliance posture can be viewed by monitored account (e.g. prod vs. staging), by individual cloud resource, and by resource tag.
For example, if a customer has tagged any resource that deals with PII data in their environment, they can view the compliance posture of this group of resources by viewing Normalyze’s assessment for the specific tag used.
This continuous and automated assessment removes any scope of manual error and eliminates the need for time consuming manual evaluation.
Integrated with existing workflows
Similar to other risks detected by Normalyze, all compliance violations also have actions available for analysts to trigger notifications (via email, Slack, etc.) and tickets in ITSM tools such as JIRA. Automations supported by the Normalyze platform today are also available for compliance violations; rules could be created for such violations by tag (e.g. SOC2, NIST 800-171) to ensure that all application violations are automatically queued – via ITSM tools – for the appropriate team to address with priority.
As with other Normalyze risks, such compliance violations will also have guidance on remediation steps along with commands to run in the cloud environment for resolution.
Try Normalyze in Your Environment!
If this news of automated cloud compliance assessments sounds helpful, we invite you to try Normalyze for free in your own environment. Sign up for our Freemium. Setup takes just 10 minutes, after which you can see for yourself how the power of Normalyze will provide your security teams with 100 percent visibility and control of cloud-resident sensitive data.