Audits are an essential, if tedious, part of a company’s risk management strategy. Before the advent of cloud computing, compliance and audit teams had manual procedures and checklists in place to help keep everything under control.

Then, along came cloud with its promises of speed and scalability. Awesome! Except for risk managers, whose physical, stable, on-premises environment morphed into an ever-changing virtual one.

“One of the questions that we often get as an auditor is: ‘How do you maintain a control environment for resources that weren’t there yesterday, but are there today?’” said Shariq Qureshi (pictured, right), senior manager at Deloitte Touche Tohmatsu Ltd.

Qureshi and Merritt Baer (pictured, left), principal, office of the chief information security officer, at Amazon Web Services Inc., spoke with theCUBE industry analyst Dave Vellante at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the challenges cloud has brought to the risk, compliance and assurance space, as well as how Amazon Web Services Inc.’s Audit Manager can help handle them. (* Disclosure below.)

AWS automates security, compliance and internal audit

The challenges of managing risk in a cloud environment extend beyond its dynamic nature. There’s the ever-increasing onslaught of data to collect and effectively evidence. And, of course, budgets haven’t increased alongside the workload. Siloed teams waste time and money duplicating evidence sets, a problem exacerbated by overlapping global, regional and local regulations.

AWS Audit Manager automates the compliance and audit process, providing risk management teams with relief from the endless task of attempting to create consistency of controls in an inconsistent multicloud environment.

“Audit manager is a first of its kind service,” Qureshi said. “It’s specifically geared and tailored towards the second line, which is security and compliance, and a third line function, which is internal audit.”

Deloitte is a global leader in audit, risk management and assurance advisory and consultant services. The company immediately saw the potential in AWS Audit Manager and guides its customers through design, implementation and ongoing management of control frameworks in Audit Manager customized for each company’s unique security and compliance requirements.

“Just like a cartographer has a map to see the entire view of what he’s designing, Audit Manager does the same thing from a cloud perspective,” Quereshi said.

Most companies have multiple frameworks for SOC-2, GDPR, HIPAA and other regulatory requirements. These are integrated into Audit Manager, allowing organizations to pick one and evaluate their cloud consumption and where they stand in terms of control posture and security hygiene against it. A recently added feature allows users to pull in APIs from third party sources.

“So now you’re not just looking exclusively at one cloud provider; you’re looking at your entire digital ecosystem of services, your tools, your SaaS solutions that you’re consuming to get a full, comprehensive picture of your environment,” Qureshi stated.

Building Audit Manager was not a simple process, according to Baer.

“It’s not a snap of the fingers,” she said. “It takes work to translate between auditors and us [at AWS]; and it also takes work to have customers understand how they can augment the way that they think about compliance,” she said.

Some of the processes are traditional, such as checking internet-facing endpoints and permissions pruning, but Audit Manager includes automated reasoning tools that apply machine learning to audit processes.

“It’s like Euclidean in mathematics,” Baer said. “You don’t go out and try to count every prime number. We accept the infinitude of primes to be true. If you believe in math, then we can reason about it.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:

(* Disclosure: Deloitte Touche Tohmatsu Ltd. sponsored this segment of theCUBE. Neither Deloitte nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE