Building Continuous Compliance into DevOps

Source :- devops.com

You’ve probably already heard of the importance of continuous integration and continuous delivery. But the importance of continuousness doesn’t end there. It extends to every component of the software delivery process, including compliance.

To illustrate the point, let’s take a look in this article at what continuous compliance means and how to achieve it.

Defining Regulations and Compliance

Regulations and compliance are two sides of the same coin. Regulatory bodies put in place regulatory laws and policies that are aimed at the benefit of the broader economy and end consumers. Organizations under the purview of these regulatory bodies must put a compliance framework in place to meet regulatory requirements.

Here are three of the most widely applicable regulatory requirements that organizations commonly need to adhere to today:

HIPAA

HIPAA, or Health Insurance Portability and Accountability Act, is applicable to healthcare organizations. It concerns the handling and protection of PHI data (Protected Health Information). The costs for mishandling healthcare data are steep for users. According to research done by Accenture, 26% of healthcare consumers were subject to data breaches, and it cost each victim an average of $2,500. Stats such as this make a strong case for HIPAA compliance.

PCI DSS

The PCI DSS (Payment Card Industry Data Security Standard) is a regulation for the financial services sector. It governs the use and handling of users’ financial data, such as credit card information and bank account information.

GDPR

The GDPR (General Data Protection Regulation Act) went live in the European Union in mid-2018. It defines policies related to how organizations handle data of users in the European Union. This includes giving customers the right to erase all their data from a company to ensure the organization doesn’t have indefinite possession of the data and to ensure confidentiality of users’ private information.

Why Continuous Compliance?

Cloud-native computing brings new complexities to how applications are delivered and how they handle user data. For starters, the scale of data flowing through the system at any given time is now much higher. How organizations and their applications manage this data is critical to compliance.

Audits can be outdated the very next day when dealing with such dynamic systems. For example, when new releases are deployed continuously, it’s easy for one release to expose an endpoint to a third-party application and leave sensitive data accessible to outsiders.

The regulatory requirements themselves change every few months. It’s important to keep track of these changes and adapt your systems to still be compliant. In light of this, it’s necessary to adopt continuous compliance as part of any DevOps workflow.

Achieving Continuous Compliance

Two Goals: Security and Speed

It’s easy to think of compliance as being about simply meeting regulatory requirements. However, this is far from true. When done properly, compliance also empowers your organization to operate at a pace that encourages innovation. Every organization that adopts DevOps wants to be secure and move fast at the same time. Continuous compliance is the way to achieve both these goals.

Compliance from Day One

Usually, compliance is an afterthought. However, continuous compliance requires that DevOps teams start their design and development with compliance in mind. This includes having clarity on the exact requirements, down to the fine details. With this in mind, the team can move forward to build applications that meet these requirements. To have this kind of clarity, the various teams, including business leaders, need to speak a common language and have common terms to describe the different parts of compliance.

Continuous Testing

Testing is essential to compliance. In the DevOps world, testing has undergone numerous changes. The good thing is that these changes all support continuous compliance. First, testing has shifted to the left of the development pipeline. With testing happening earlier, it’s easier to catch errors and vulnerabilities before they reach production. Second, tests are increasingly automated. This makes them predictable, measurable, repeatable and compliance-friendly.

Automated Compliance

Your compliance verification and enforcement process should be as automated as possible. Toward this end, integrating compliance checks into the CI/CD pipeline is a best practice. For example, make vulnerability scanning part of the CI/CD process by integrating it with your CI server so that checks are performed at build time automatically.

The Right Data Hierarchy

All data isn’t equally important. Some data is more sensitive. This is why you need to organize and categorize all the data in your systems. Once categorized, you can define policies to govern different types of data. This includes encrypting data at the appropriate level—and not just in transit, but also when data is at rest.

Track Access Control

In the effort to achieve control over compliance, identity and access management (IAM) plays a critical role. It helps define who is allowed to access data and what changes they’re allowed to make. When assigning access, it’s important to assign it according to teams or roles and not according to individuals. This makes IAM policies scalable and easier to control. Putting in place streamlined IAM policies negates the need to share passwords and other sensitive information. Every user can access only the data they need, and not more. This is the principle of least privilege in action.

Track Change History

Beyond IAM policies, it’s essential to maintain a change history for all users and parts of the system. The best way to implement this is to use log data as the source of truth. It delivers deeper visibility than mere monitoring events and help to troubleshoot incidents. Logs have always been a cornerstone of good compliance, and in today’s cloud era, they continue to play a key role.

Conclusion

Achieving compliance is challenging in any environment, but when you embrace DevOps, compliance presents special difficulties due to the speed at which workflows move and the importance of making processes continuous. Implementing continuous compliance takes effort, but the rewards justify it. Not only will your organization stay on top of regulatory requirements, but it will be better positioned to move quickly and innovate.

To put continuous compliance into practice, you need the right tool for the job. Symantec Cloud Workload Assurance (CWA) can help. Learn more about CWA features in this data sheet, and sign up for a free trial to see how CWA can help secure your cloud.