Last Updated on October 20, 2021
In a world where full cycle software development teams release multiple builds to production per day, traditional methods of verifying compliance with cybersecurity and privacy guidelines have fallen by the wayside. A new compliance model is needed—but what should it look like? How do you even begin to model controls in today’s hyper-complex, ultra fast-paced environments, each with its own unique suite of tools and services?
To share the latest ideas and advances on how to span the chasm between time-honored compliance techniques and the fast-paced world of DevOps, Raj Krishnamurthy, Founder, CEO and Engineer at ContiNube, joined a recent episode of The Virtual CISO Podcast. Pivot Point Security CISO and Managing Partner, John Verry, hosts the show.
Key drivers for a new compliance model
Raj and John note three primary drivers for a new compliance model:
- An explosion of applications into the cloud and onto platforms like Kubernetes, along with the “hardware as software” and “software-defined” trends and the proliferation of API-based consumption models for software
- A massive acceleration in the tempo of releasing software projects and products into production
- Changes in how we work together, especially since COVID, with an emphasis on new digital collaboration models/technologies
As an example of how these trends have impacted compliance, John cites the established audit/compliance practice of asking for a screenshot of your firewall: “The reality is that the screenshot of the firewall that I might give you… That firewall configuration that you’re looking at was instantiated and disappeared in a three-hour window. So it just speaks to the impossibility of, from a compliance perspective, relying on traditional artifacts to actually have any idea if we’re really doing what we think we’re doing.”
Creating trust and transparency
“The idea of compliance is to create trust and transparency,” says Raj. “In the new world where things are moving at a very, very rapid clip, we can’t hold onto these traditional notions of trying to check the box and doing an audit once a year—those days are gone; that doesn’t help you at all.”
“At the end of the day, what we are collectively trying to solve, whether you’re sitting in the risk organization, the security organization or the compliance organization, is to fundamentally manage the risk that our organization faces. While the risks, especially in the new model, are changing almost on a minute-by-minute basis,” Raj adds.
Compound that pace of software development activity with rampant business context changes like the incorporation of new technology, new types of data being processed, and new regulations that impact your data. All of which could impact your compliance measurement. You’re talking dozens to hundreds of unique sampling actions per week, just within your software development environment.
What combination of knowledge and technology can bring us to “continuous compliance” in a continuous delivery/continuous delivery (CI/CD) world?
To find out more about how industry leaders like Raj and ContiNube are redefining the future of compliance, tune into this episode from The Virtual CISO Podcast: EP#61 – Raj Krishnamurthy – Bridging the Gap Between Traditional Compliance & DevOPs – Pivot Point Security