An increasing number of companies and other enterprises are reducing their costs by migrating portions of their information technology infrastructure to cloud service providers. For example, virtual data centers and other types of systems comprising distributed virtual infrastructure are coming into widespread use. Commercially available virtualization software such as VMware® vSphere™ may be used to build a variety of different types of virtual infrastructure, including private and public cloud computing and storage systems, distributed across hundreds of interconnected physical computers and storage devices. Cloud service providers build and maintain such systems.
In cloud-based system arrangements of the type described above, enterprises in effect become tenants of the cloud service providers. However, the enterprises ultimately remain responsible for compliance issues. More particularly, the enterprises are generally still responsible for performing governance, risk management and compliance (GRC) audits, and for proving compliance with relevant industry control standards such as PCI, and government regulations such as HIPPA, even though the enterprises have outsourced portions of their information technology infrastructure to the service providers. This creates a problem, in that it can be very difficult for the enterprises to verify that the service providers have the appropriate controls in place, and to establish sufficient levels of trust in the service providers with respect to ongoing implementation of such controls.
Because a given enterprise does not own the information technology infrastructure it is attempting to verify, it often has to rely on a manual compliance audit performed by the service provider or an authorized representative of the service provider, or by an independent third party. Such audits are usually labor-intensive and costly, and are therefore typically done on an infrequent basis. Also, the enterprise has to implicitly trust the findings of an auditor. When the verification of controls is done manually the audit results may contain errors and omissions, may be too coarse-grained, and may not be “real time” (i.e., completely current). The manual auditing process may have occurred days or even weeks before and therefore may have missed any transient non-compliance.
Similar problems arise with regard to verification of other types of controls, such as adherence of the service provider to a service level agreement.
In view of the above, a need exists for an improved approach to verification of controls in cloud-based systems and other types of information technology infrastructure.