homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Rethinking Cybersecurity Compliance: The Underutilized Power of CSP Native Security Services
370x370_AJ-Yawn_CloudSEcNext.jpg
AJ Yawn

Rethinking Cybersecurity Compliance: The Underutilized Power of CSP Native Security Services

Live off the land for cloud compliance

October 10, 2023

Compliance is a word that continues to be top of mind for security practitioners around the world. Over the last decade or so, compliance has gone from a one-year activity to check a regulatory box to a business enabler that’s no longer optional for companies in any industry. SOC 2 is the framework most U.S.-based companies are familiar with because it’s become the de facto standard for proving security compliance for companies trying to do business with other companies. SOC 2 puts a ton of stress on companies because of the evidence requests from auditors, operational disruption of most departments, and the overall cost of the audit and tools to support the security program.

With the increase in compliance requirements to do business in the United States, the compliance technology industry has grown as well and innovation is at an all-time high. It’s not just compliance tools but the security industry in general has seen some amazing advancements to help companies collect technical information to assess whether they are meeting security safeguards including compliance frameworks. This advancement in technology has changed the way companies prove compliance. Traditionally, proving compliance meant collecting a bunch of screenshots from different tools and meeting with auditors in person for days to walk through the evidence and answer repetitive questions. Fortunately, nowadays it’s a lot easier to collect information because of governance, risk, and compliance (GRC) software tools, security tools, modern human resources, ticketing, and other technologies. With the COVID-19 pandemic, in-person audits are a thing of the past and audits now take place over Zoom. Shared tools are utilized to exchange evidence with auditors.

The Challenges with Modern and Traditional Cybersecurity Compliance Methods

One of the toughest parts of running a GRC program, or a security program in general, is often limited budgets. Security leaders know the pain of having to explain to business leaders why they need to invest in another security tool. Security software tools can be pretty expensive and in the compliance industry companies can expect to pay between $20,000-$30,000 per year to license software to help you manage your compliance program. This is costly. These tools promise a streamlined process for your audits with limited to no manual evidence collection but in reality, there is always a ton of additional work needed to successfully navigate an audit like SOC 2. There’s no perfect tool because a SOC 2 is still a subjective exercise with humans involved - different auditors have different skill sets. Different audit firms have different audit and quality control procedures which change the type of evidence that they will accept.

Let’s paint a picture of what this means. You invest 25K on a compliance software tool that sold you on the fact that it would make your audits easier and automate 90+ percent of evidence required from your auditors. In reality, your auditor is the one that determines whether or not the data that comes out of that compliance tool can be used for the audit or not. This is a risky and costly investment to make if you aren’t sure your auditors will accept the information provided by the tool.

Now, for those who don’t have a compliance tool and are still collecting evidence in the traditional way the challenge is all about time. Audits and other compliance activities are time-consuming and cause a large amount of operational disruption for the organization being audited. For example, a SOC 2 audit can involve people from human resources, engineering, security, legal, risk and compliance, the Board of Directors, executives, and others. Collecting evidence manually without tools typically involves individual security and compliance professionals meeting with members of these departments to discuss how they perform controls i.e. meeting with security engineers to determine how we perform network security, logical access, and data protection controls. After this internal meeting, the security engineering team and compliance professionals go through a similar time-consuming walkthrough with external auditors. Finally, the auditors send over a long request list that requires these same stakeholders to go out and collect evidence from the tools and upload it into another tool that the auditors use for review. If there are questions about these items or a lack of understanding, this adds to the time-consuming nature of the exercise.

There isn’t a magic pill that solves the time-consuming nature of a cybersecurity audit. However, there are ways that we, as compliance professionals, can make the exercise a little less painful for the people involved. One way that we can do that is by utilizing the tools that already exist on the cloud platform we have chosen to host our application. Amazon Web Services (AWS), Microsoft Azure (Azure), and Google Cloud Platform (GCP) are the leading cloud providers in the world. Most companies have decided to host their applications on one of three of these cloud providers. Each of these cloud service providers (CSPs) has invested significantly into building up the security services available to customers hosting data on their platforms. They understand the shared responsibility model very clearly but they have made a conscious decision to make it easier for companies to uphold their end of the shared responsibility model with built-in purpose-built security services to solve important security and compliance problems.

Oftentimes companies rush out to invest in the latest and greatest tools to solve security problems when they are probably already paying or can pay a fraction less for a similar service on the cloud provider they are using. Similarly, the pain and time-consuming nature of collecting evidence outside of the platform adds additional work to the stakeholders involved in the audit. Fellow SANS instructor Clay Risenhoover often talks about “living off the land” when it comes to compliance. His viewpoint is that compliance professionals should focus on using tools that the teams are already using to collect and validate compliance information - let the engineers use the tools they are comfortable with. This concept is the core of this article, using native security services in the cloud can help us live off the land and use the tools available to our organization on the CSP we are already using.

The Advantages of Using Native Security Services For Cybersecurity Compliance

There are four key advantages to using a cloud platform native security services for compliance which include:

  • They are designed specifically for the cloud platform
  • Cost-effective
  • Automated data collection and reporting
  • Continuous monitoring and real-time alerts

By opting for security services built directly into the CSP, you can be confident you are using a security tool that was built specifically for how you are using the cloud. For example, most 3rd party tools make assumptions about how you are using a particular cloud provider. They may have an integration into AWS however they are only pulling data from specific regions or a specific type of compute data such as EC2 instances. But what if you are in a completely serverless environment and you aren’t using EC2s? What if your data is outside of one of the common regions they scan and don’t support the region you are in? These are common problems I’ve seen and they can be overcome by using purpose-built tools for the cloud provider. Most of the major cloud providers have security services that cover areas such as vulnerability assessments, intrusion detection, and network security. However, they also go a step further and have specific ways you can configure these services based on your use case. Good security requires context - security isn’t a one-size-fits-all-all. It’s tough to get that context when you’re assessing from the outside in.

Secondly, we talked a lot about cost in this article. While most security services on the cloud platforms are not free and you will incur some costs. The overall price tag is often fractions compared to what you would pay for a third-party tool that may not be collecting all the right data. One cool benefit of using these services specifically for proving compliance to a third-party auditor is that you can turn the service on to collect the information and then turn it off when you are complete. The on-demand, only pay-for-what-you-use nature of the cloud lends itself to those looking to reduce the costs of their overall security and compliance budget.

Additionally, collecting evidence in an automated fashion should allow for an easier audit process with your auditors. The days of having to send engineers out with a list of requests and they send back an email with 50 attachments of screenshots from the cloud console are over. Utilize the security services available to run an automated collection of data or generate an automated report that includes relevant metadata for the audit and you’re done. Auditors will care about completeness and accuracy, they will want to know that the data collected includes all the information necessary for the audit. I encourage companies that adopt this practice of using native security services to educate their auditors on this decision and the security services they’ll be using to gather data. Also, collect the evidence or reports on a recorded Zoom or live Zoom call with them. These two steps will help ensure your audit teams trust the information collected directly from the cloud provider.

Lastly, if you want to have a continuous compliance program where you are constantly monitoring for control failures or changes - that can be done easily on the cloud. There are built-in services that allow you to assess regularly whether controls are operating the way you intended. Having this type of monitoring built directly into the cloud provider is huge. You are not worried about a connection issue between a SaaS tool and the cloud. You no longer are worried if the right data is being collected regularly, you know it is because you monitoring directly at the source. When things change, you can set up alerts to inform you immediately and in some cases build in some auto-remediation to correct control failures that you don’t want exposed.

Conclusion

Cybersecurity compliance audits are not going anywhere. They are only becoming more important which is why we’ve seen such a rapid growth in the innovation in this space. While the innovation is exciting, it is important to make sure we examine if we are investing in tools that are duplicating the activities we can accomplish with our cloud provider. Adding additional tools is not only a costly decision but also increases your attack surface by introducing an additional third party into your data ecosystem. Each of the major CSPs offers native security services that their customers can use to prove compliance with multiple frameworks. In part 2 of this article series, we will examine specifically “How Native Security Services Aid in Compliance Audits.” We’ll discuss example services and use cases for security and compliance professionals to begin using today.

About the Author

AJ Yawn is Partner In Charge, Product & Innovation at Armanino LLP,  and a Founding Board Member of the National Association of Black Compliance and Risk Management Professionals (NABCRMP). AJ has earned 6 AWS certifications including the AWS Solutions Architect-Professional and AWS Security-Specialty. Prior to ByteChek, AJ spent over a decade in the cybersecurity industry both in the US Army and as a consultant. He is a regular speaker for SANS Cloud Security curriculum events such as BIPOC in Cloud Forum and CloudSecNext Summit, and a co-chair of the New2Cyber Summit 2022. Learn more about AJ at https://www.sans.org/profiles/aj-yawn/

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • LDR519: Cybersecurity Risk Management and Compliance
  • LDR414: SANS Training Program for CISSP® Certification™
  • SEC540: Cloud Native Security and DevSecOps Automation™

Tags:
  • Cloud Security

Related Content

Blog
What is Cloud Security Compliance?
Cloud Security
July 27, 2023
What is Cloud Security Compliance?
It's a bit like "Simon Says"
ChrisEdmundson_370x370.png
Chris Edmundson
read more
Blog
Compliance-340x340.png
Cybersecurity Leadership, Cloud Security
August 9, 2021
Why You Need Automation to Achieve Compliance in the Cloud - Part 2
Part 2 of 3
370x370_AJ-Yawn_CloudSEcNext.jpg
AJ Yawn
read more
Blog
Compliance-340x340.png
Cybersecurity Leadership, Cloud Security
July 12, 2021
Why You Need Automation to Achieve Compliance in the Cloud - Part 1
Part 1 of 3
370x370_AJ-Yawn_CloudSEcNext.jpg
AJ Yawn
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn