DevSecRegOps: An Integrated Approach to Shifting Left on Compliance in the Cloud
Feb 27, 2023
DevOps began to emerge around the late aughts to address a real or perceived dysfunction in the IT industry around how systems were developed and operated in silos that rarely spoke to each other and often had conflicting priorities. DevOps sought to establish a methodology to promote shared responsibility, automation, and rapid feedback among diverse teams with the aim of sustainable software management. As the practice became more commonplace, teams saw the benefit of extending it to other domains such as security leading to the evolution of DevSecOps.
One key trend that the DevOps approach promoted was around shifting left as developers figured it was more advantageous to build right from start rather than fix after deployment. This trend only accelerated with the adoption of DevSecOps as retrofitting security is even more disruptive.
However, there is one domain that consistently remained an afterthought. ‘Compliance’ often gets grouped as part of governance, which by definition, is an oversight function that provides advice, monitoring, review, and corrective actions. When it comes to cloud adoption, the governance process becomes a non-negotiable and critical part of success, however, compliance becomes more than an oversight. It stops being a posteriori activity and needs to be embedded across the application development lifecycle aka must shift-left.
Compliance Challenges in Cloud Adoption
The modern cloud computing paradigm has existed at least since the mid-2000s although its origin goes back to the 1990s. However, even today there are significant inhibitors to cloud adoption at scale, especially in large organizations operating in regulated industries.
CIOs and CISOs often cite a lack of cloud compliance strategy as a key inhibitor but what makes it a challenge, why coming up with an effective compliance strategy difficult?
- Managing operational risk with third parties including CSPs and ecosystem partners to enable effective use of the cloud.
- Identifying common standards and policies to apply to the cloud across various business use cases and enforce it consistently across hybrid and diverse environments.
- Enforcing zero-trust in hybrid and multi-party environments.
- Maintain effective threat-informed cyber risk management in an ever-expanding attack surface.
- Chronic talent shortage problem.
How to Shift-Left: DevSecRegOps Approach
To drive effective technology compliance in such challenging environment requires adoption of shared responsibility and collective action. An approach using shift-left principles and integrating Regulatory Compliance in DevSecOps (i.e., ‘DevSecRegOps’) aims to deliver effective compliance. But before we define the approach, let us first define what we mean by compliance in the cloud. It refers to the activity of building, testing, deploying, continuously monitoring, and managing technology in accordance with standards requirements, specifically meeting requirements of applicable regulatory or industry standards such as NIST, PCI DSS or Financial Regulators (e.g., MAS TRM, PRA or NY DFS).
Today, this is done by analyzing running production environments to assess compliance. This means that fixing any compliance gaps is expensive and often requires retrofitting systems to requirements they never intended to support, leading to complex and janky systems that end up less secure and less resilient.
This framework defines a strategic approach for managing cloud compliance using the principles of shift-left and defining ‘DevSecRegOps’ to effectively automate and enforce cloud compliance. There are four (4) key steps in the framework:
1. Identification: First step is to identify your compliance obligations. This cloud be driven by financial regulators in industries such as banking (e.g., PRA in UK, NY DFS in US or MAS TRM in Singapore) or government regulatory guidelines such as NIST, and FedRamp in the US. These might often be indirect obligations i.e., a client consuming your services might have to demonstrate this compliance. In large enterprises there could be multiple regulatory obligations that are often aggregated and expressed in internal policies and standards.
Identification of compliance obligations allows you to set an effective baseline against which you can assess applicability. Make this a part of initial requirements gathering phase to ensure the team is aware before they begin designing, prototyping or building MVP. Do note that at this stage, the team may not build against any specific compliance requirements, but the goal is clear identification and awareness so that they can incorporate the requirements into design.
2. Assessment (Applicability): Compliance requirements are always by definition technology agnostic and broad as they must be applicable in a diverse technology landscape. The challenge when communicating the requirements to teams is to contextualize the requirements to be specific for the cloud services and technology stack used in the application. This requires interpretation of the intent in the control objectives and deep understanding of cloud services and application technology stack to codify and map technical control checks that fulfil the control objective.
This can be a central function that analyzes regulatory guidelines, industry standards or internal policy statements and maps them to various cloud services and technology stacks to create a common control library that can be used by all teams in the organization to assess applicability. However, given the pace of innovation in the public cloud and diversity of technology stacks, this exercise often ends up slowing down cloud adoption in organizations.
Fortunately, you can leverage competent third parties with predefined control libraries with a caveat, a library of controls that cannot be context specific would only end up driving alert fatigue in teams by overwhelming them with alerts without context. You need to someone that can provide context specific actionable intelligence that allows team to develop at pace.
3. Measurement: As the saying goes ‘we can’t manage what we can’t measure’, however, it is equally important how we measure. In the (in)famous example of measurement error, NASA lost one of its spacecrafts (a Mars orbiter) as different teams involved in the build used different units of measurement for force. Standardization is the key to success of cloud compliance programs. Any compliance assessment tool you choose should be fully automated and can be embedded into CI/CD pipelines. It should provide timely feedback and support the iterative development approach of DevSecRegOps.
The measurement reports should also be persona specific. There is little value in giving developers a detailed regulatory framework report that outlines all clauses. They need a prioritized list of issues that are threat informed so that they can focus on fixing the issues with most impact on the overall security and compliance posture.
4. Management: Compliance is not a point-in-time exercise. Every regulator or industry body looks for a process that is applied consistently and continuously. Continuous management of compliance, especially if the process shifted left and embedded across the application development lifecycle, would result in a more predictable outcome. The key point to note is that such a process should have minimal overhead as any process that hinders the pace of delivery would eventually end up being a bottleneck and teams will find a to work around it rather than with it.
At letsbloom, we aim to provide effective cloud compliance management for any workload, on any public cloud, using any cloud service and against any regulatory guideline, industry-standard or benchmark. We have mapped all major compliance control objectives in our common control library and codified them on our platform to help organizations continuously monitor and manage their cloud compliance.
Our platform comes with prebuilt reports and dashboards to cater to all personas be it a developer, risk officer, security analyst or CXO. The platform can be integrated into any CI/CD pipeline and provides timely and context-specific actionable intelligence to the teams to ensure effective management of compliance posture.
You can try letsbloom compliance observability for your cloud workload at www.letsbloom.io/contact-us/.