Ops and security people are familiar with the hustle: Compliance audits. Whether it is SOC2, HIPAA, or some other compliance framework, all require collaboration between teams to gather evidence, which often results in Jira issues and lots of screenshots. They even add road blockers for devs to get things done.
All this hustle has undesired outcomes for engineers. Software engineering becomes a manual data entry job that is repetitive and error-prone. The real value behind these compliance frameworks is lost. Instead of focusing on protecting the client's data safety and privacy, engineers spend their time with useless chores and add invisible walls with the security team.
So, why not automate?
Only if it was that easy, right? We agree. It is still hard, even today. But we have made progress thanks to the DevOps movement. Automation is the main principle in DevOps and DevSecOps extends the ideas to Security and Compliance operations.
Two complementary approaches
Modern compliance is different from old-school compliance. It has to be. Compliance is mandatory for many companies and development speed is why we are investing so much in DevOps. We can not slow down development and operations to ensure safe changes, but in order to reach more customers, they need to coexist. So, how do we achieve that?
There are two ways to achieve compliant and secure development in the modern world.
- Embedding compliance into IaC
- Recording resource configuration changes
Embedding compliance into IaC
One popular approach has been to take infrastructure as code as the building block and check potential issues before they go to production. DevSecOps requires considering security during the development phase. Embedding security into pipelines and IaC repositories is a key to shift security and compliance left. The most important advantage of this approach is that teams can detect and avoid potential vulnerabilities before they go to production.
We encounter two “as code” approaches in modern compliance. One is Policy as Code and the other one is Compliance as Code. Policy as code is automated enforcement for compliance, security, and operational excellence, as defined by Hashicorp. Compliance as code is very similar but only focuses on automating compliance using code. We will talk more about the compliance code in the upcoming block post. For now, just know that both policy as code and compliance as code is about reducing manual actions for compliance audits and breaches.
Recording resource configuration changes
This is where Resmo comes into play. We want to change how companies of all sizes that are on Cloud and leverage powerful SaaS services approach compliance. The API driven world offers many possibilities and we want our clients to leverage that.
The first approach we mentioned focused on catching potential issues before they go to production. But the reality is you can’t always ensure that. There are three main challenges.
- Many tools don’t have infrastructure as code implementations. Many teams don’t have the time to implement these integrations from scratch.
- Some tools or configuration changes can’t be achieved using APIs.
- These tools like Terraform or AWS CDK are popular but it takes a lot of work to follow the best practices. You can’t ensure there are no manual changes.
As a result, compliance still is a challenge for many companies. The obvious solution is to record resource configurations and changes throughout time. In another blog post, we talked about this in detail. Resources like Github repos, Jira users, Amazon S3 buckets, or Slack apps are accessible via APIs. The challenge is, in the modern world there are too many types of resources and you can’t really have an easy way to query, get alerted, create compliance audit reports using these configuration change data. This is the problem we are trying to solve. We want to ensure teams have the visibility to changes made in their dev and ops environments. If something is not going right, they get alerted as soon as possible and take action. Also, this approach means getting everything in place and making automated compliance audit reports a reality. ie. Many CSA or SOC2 audit questions can be answered in an automated fashion.
Compliance doesn’t have to suck!
In this blog post, we briefly mentioned two complementary approaches to compliance for modern development teams. First, we should embed compliance checks into our IaC repositories to catch problems before they arise. Second, we should collect all resource configuration changes in one place and get automated compliance reports easily. More than that, teams will have a place to dig deeper into issues and never miss key vulnerabilities that they can’t catch manually.
Resmo is launching in early 2021 in beta. One-click integrations with AWS, Github, Kubernetes, and more give visibility into your complex devops environments. You will be able to query this data using SQL and get alerted. Besides, integration and compliance reports make audits a breeze. Sign up for early access and get 6 months free after the beta period!