Don’t fear the Auditor–a Trustle customer case study
A customer of ours recently informed us that they were performing their annual audits for the “char salad” (my term) of requirements, from SOC 2 to ISO 27001. Naturally, I assumed I wouldn’t see them for a few weeks and offered to cancel our weekly meetings. Their answer came back (I’m paraphrasing), “Actually, no need–we’ve got it covered.” So I thought, if you’ve got all this time, why not spend it on capturing your audit experience, so I can blog about it? They agreed, so here are a few insights from that discussion.
For their company, the main focus of the audit was their Azure and AWS platforms. The auditors' primary concerns revolved around providing evidence that users were being revoked from customer and administrative groups in a timely manner. It’s worth noting that the auditors ratcheted up the inspection this year and wanted to see more auditing around these groups. In particular, the auditors expected to see when deprovision tasks were created and when they were completed–a kind of “show your work” policy–especially for access control lists (ACLs).
In previous years, this work was intensely manual. It involved the security team cross-checking a sublist of groups against another list (formatted in YAML) to ensure there were no inconsistencies. This was both difficult to edit and error-prone, causing numerous delays. In addition, their home-grown tools were difficult to run.
This year, things went much smoother. In fact, the customer claimed it went “10x” smoother (which, just by the way, is the aspirational industry goal for improvement), with the time required to provide auditors information they requested within minutes, not hours. Obviously, a good portion of this improvement is from the customer’s excellent people and planning. But then, they also credited Trustle and pointed out that as they grow (which they are doing rapidly), not everyone on the team can have the technical wherewithal to handle complex, somewhat arcane, and technical auditing tasks. So having a tool to assist in keeping the environment in check is a huge win.
A couple of particular features that our customer found useful in Trustle (come audit time) are:
- Workflows make it easy to perform monthly audits, which keeps their system always audit-ready
- The ability to search on groups and deprovision users, as needed; they plan to automate this process soon, which will save even more effort
- No need for lengthy and awkward “reach out” discussions to determine whether the user still needs access–it’s all handled in the workflows
- Detect out-of-band permissioning and quickly flag for manager review or access revocation