Last Updated on October 27, 2021
In the realm of full stack software development and DevOps, continuous change invalidates conventional, point-in-time audit/compliance evidence. But our industry has yet to bridge the gap between traditional compliance techniques and modern software delivery mechanisms.
Where are we today with ensuring that each build cycle complies with cybersecurity and privacy guidelines? What does a practical “continuous controls monitoring” workflow look like, and what critical issues remain to be solved?
To share the latest ideas and innovations for connecting compliance and DevOps, we invited Raj Krishnamurthy, Founder, CEO and Engineer at ContiNube, to join a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.
The big picture of “compliance meets DevOps”
Picture this simplistic vision for a “compliance meets DevOps” model: Within the moving parts of DevOps processes and continuous compliance/continuous delivery (CI/CD) pipelines, there exists evidence of whether security and compliance controls are in place and executing. This evidence could be things like the output of code scanning tools, or workflows that ensure compliance with a particular standard like PCI-DSS. The evidence gathering process could touch things like a web application firewall, Kubernetes, public cloud services, and more.
Invoked via APIs, more custom tooling and workflows could write this evidence (or test results) to a master platform/database, effectively producing an authoritative, continuous record of control operation. Then additional workflows would operate on the data to meet the needs of DevOps and compliance teams.
Sound like a plan? That’s how ContiNube’s cutting-edge security compliance platform, Compliance Cow, basically works. With its “automated playbooks,” Compliance Cow is designed to make it easier to create compliance controls and workflows that you can tweak, deploy and run at scale in cloud and Kubernetes environments, as well as on-premises.
5 pillars of continuous controls monitoring
Compliance Cow embodies much of what Raj calls the “five pillars” (that is, necessary capabilities) needed for cloud/continuous compliance automation:
1. As a foundation, creating an easier way to create and deploy controls
2. Next, “smart workflows” that can correlate evidence to meaningful signals
3. A drag-and-drop, low/no code interface that enables less technical users to create workflows
4. Guided support for gap remediation, so compliance teams can troubleshoot issues and smoothly affect changes to production environments
5. Easy API-driven access to the entire portfolio of compliance controls
With this approach, a compliance specialist could define a portfolio of compliance controls, and the entire portfolio along with remediation workflows would be “just an API call away” and could be invoked on demand.
Supporting the necessary customization
As you might expect, something like Compliance Cow wouldn’t just be plug-and-play, because of all the diverse tools and services that would potentially need to be connected in each unique environment. Instead, it’s a combination offering of software plus services.
As Raj notes, “We are not just trying to throw you a product and walk away. Neither are we trying to build a consulting services company. We are somewhere in the middle because we are very purpose-built and very purpose-focused on controls automation. The way we engage is to use the product to be able to go deploy and then be able to help customers get to their success milestones.”
In fact, Raj and ContiNube are working to offer these compliance rule sets as open source “reference sets” that would be usable standalone. That way, teams with the skills to “roll their own” won’t even be bound to a ContiNube platform. With this approach, ContiNube would offer a “better managed service” for those who want to consume its compliance code platform via a subscription model.
If that sounds promising and you want to hear the rest of the story, be sure to catch this podcast episode with Raj Krishnamurthy: : EP#61 – Raj Krishnamurthy – Bridging the Gap Between Traditional Compliance & DevOPs – Pivot Point Security