Last Updated on October 21, 2021
We need a new compliance model for today’s cloud-first, full cycle software development methods. When “software is eating the world,” checking boxes in an annual audit is no help at all. But what tools and skills will be needed to address this profoundly important problem?
To boil down what it will take to make the leap between old-school compliance techniques and modern DevOps practices, a recent episode of The Virtual CISO Podcast features Raj Krishnamurthy, Founder, CEO and Engineer at ContiNube. The show’s host, as always, is Pivot Point Security CISO and Managing Partner, John Verry.
Envisioning a solution
“What is that gap [between traditional compliance and DevOps practices]?” John asks. “Is it knowledge in the DevOps world? Is it knowledge in the compliance world? Is it technologies on both sides? Or is it some combination of all of these?”
“I would say a combination of all of those,” Raj replies. “I think at a bottom level, our view of the world is that software is eating the world, right? From that perspective, we need to be able to build new tools and techniques. So, there is a basic platform level capability that you’ll have to sort of build out.
“On top of that, I would say that you have to have specific knowledge and skillsets on the runtime capabilities. You can’t have a general posture; you need to be very specific if you’re dealing with, for example, Azure versus AKS versus Kubernetes versus on-premises; could be VMware. You need very specific skills on how we are going to protect your infrastructure, protect your application services. And some of this can be general, but a lot of it requires a specific knowledge. So that’s the second layer.
“The third layer is that security in many cases actually is very transactional. And what compliance brings you is an observability and governance framework. So, in some ways you need to understand about these compliance frameworks as well, right. And the industry domain. So, for example, if you’re dealing with PCI DSS, you need a certain knowledge of that industry domain, and you need a certain knowledge and a commitment to that compliance framework, right?
“So, I would say that you actually have to stack all of those in that order. You need to have the base platform technology level capabilities, and you need to layer on top of that very specific runtime capabilities—whether it is a particular cloud or on-premises data center. On top of that, you need to have very specific security and privacy understanding/capabilities. On top of that, you actually layer the compliance frameworks, which gives you sort of the governance and the observability, and you need to be able to stack all of that. And you need to reasonably be able to understand that stack in order to solve this problem.
“I think that is one of the biggest challenges that is facing the industry, because you’re now talking about a conference of different skillsets that need to come together in order to solve this problem,” concludes Raj.
Meeting in the middle
All these uncommon technology and skill requirements set up a high hurdle for organizations.
“I think you’re looking for unicorns that are spotted and striped,” John observes. “So, it would seem to me that we need to meet in the middle. Because I don’t think one side can make the full leap. But I think we have to get compliance to move in that [DevOps] direction. They have to become more knowledgeable. They have to be comfortable with these conversations, because they have to be able to determine what the right things are to measure.”
“On the flip side, I think we’ve got to get the DevOps guys to understand what we’re trying to accomplish on the compliance side,” notes John. “And I think we’ve got to move them a little bit more towards understanding those requirements. What those regulations are, what the expectations are around… Whether it’s OWASP ASVS, whether it’s payment card industry, whatever those standards… Might be PI right now; obviously the personal information laws and regulations are a hot topic for SaaS firms.”
In Raj’s view, DevOps, compliance, platform engineering and related disciplines all have a role to play. The question is, how can all these roles and skills come together around a common collaboration modality and “single source of truth.”
“In other words, you need the DevOps person to be able to see and understand—and consume the benefits of compliance—without having to become an expert on compliance,” asserts Raj. “And you need the compliance person to consume and monitor the DevOps and security challenges without having to become a DevOps or security expert. And I think that’s an interesting challenge and a problem too, for us to solve.”
To find out more about how Raj Krishnamurthy and other thought leaders are envisioning a new way to achieve compliance in the midst of constant change, listen in on this episode from The Virtual CISO Podcast: EP#61 – Raj Krishnamurthy – Bridging the Gap Between Traditional Compliance & DevOPs – Pivot Point Security