Blind faith in the power of automation will not ensure happy outcomes. We have to stay in control of our control and ask ourselves questions like:
- Does the automation work as expected?
- Where can we improve?
- Are we creating the proper logging trails?
- Are we complying to the standards we have set and the security levels that are expected of us?
- Do we feel in control of risk?
Let’s not forget we are dealing with services provided by third parties and it is your responsibility to check their compliance to your standards. Things to check on and demand from your suppliers are:
- Audit/Assesment reports.
- Cloud Provider Certifications.
- Security Scans.
Setting up logging and auditing on IaaS and PaaS is absolutely necessary and does require some attention and configuration. The basic principles of auditing also apply here but if you are engaging through an MSP you have to make sure everything is on the up-and-up. The CCoE has an important role supporting teams with design, exchange knowledge, inform of product updates regarding the subject and help in setting up the proper controls.