Compliance is a Necessity: Regulatory compliance is critical for businesses, especially those operating online. Compliance impacts all organizations and is becoming essential to conduct business virtually anywhere.
Alphabet Soup of Regulations: Businesses face numerous regulatory standards like HIPAA, PCI DSS, GDPR, and SOX. These rules affect modern software development, making compliance a crucial responsibility for DevOps teams.
Shift Left with DevOps Compliance: DevOps compliance aims to integrate regulatory checks early in the SDLC. This proactive approach reduces risks by ensuring compliance at multiple development stages, not just before deployment.
Automation is the Compliance Lifesaver: Automation in SDLC should include compliance to minimize risks and costs. Ensuring compliance during feature development avoids costly post-deployment fixes and promotes continuous adherence to regulations.
Visibility and Collaboration Challenges: Effective DevOps compliance hinges on bridging gaps between engineering and GRC teams through visibility, improved communication, collaboration, and advanced technology tools. Both sides need to work together seamlessly.
Regulatory compliance might be one of the most unglamorous topics in all of technology.
Yet it’s an entirely necessary one. Compliance requirements impact organizations large and small and everywhere in between—especially any business that operates online, which at this point is every business.
“Most businesses today are seeing a change in the regulatory landscape with new regulations coming out every year, sometimes every quarter,” says Daniel Marashlian, CTO and co-founder of Drata, a security and compliance automation company. “Compliance is becoming a must-have to do business [virtually anywhere].”
Indeed, the parade of regulatory acronyms reads like a test at the optometrist: HIPAA, PCI DSS, GDPR, SOX, FISMA, NIST – are you still with us? That’s just scratching the surface of potential rules and frameworks you might need to comply with, especially in the modern software world.
Given that enterprise software intersects with virtually every part of a business, it follows that software—not to mention its data and infrastructure—is very much a part of the regulatory landscape. This, in turn, means DevOps teams increasingly have a responsibility for their organization’s compliance strategy and posture.
“DevOps organizations are increasingly being asked to meet these new regulatory requirements,” Marashlian says.
In this article, we’ll take a closer look at DevOps compliance – what it is, why it’s important, and how teams are implementing it.
What is DevOps Compliance?
DevOps has always been about building better processes, tools, and teams – with the ultimate goal of rapidly and reliably delivering great software. DevOps compliance, then, focuses on ensuring that the software delivery lifecycle (SDLC) meets any and all compliance requirements, whether dictated by organizational policies, government regulations, industry standards, or other rules.
In the past, compliance might have been viewed as a final checkoff before deployment – or even something you didn’t prioritize unless there was an issue in a production release. Today, there’s a push to move compliance – like security, QA, and other processes – as far “left” as possible in the SDLC, meaning into the earliest stages of software development. This makes it a more integrated part of the SDLC and allows for teams to check (at multiple stages) their code and systems for compliance regularly to reduce risks.
Why Does DevOps Compliance Matter?
DevOps has become one of the leading approaches to software development. Suffice it to say that many software applications—and certainly any systems that generate, use, or store sensitive data—are subject to the various policies, regulations, and security frameworks that govern how businesses operate.
DevOps compliance matters because, without it, it’s much harder to minimize risks and ensure consistent compliance as software teams deploy code faster and more frequently – continuously, really – than ever. That’s even more true given how automated many elements of the SDLC have become, including continuous integration/continuous delivery (CI/CD) pipelines, infrastructure automation, security automation, and more. That same automation-first mindset should include compliance as well.
“Baking compliance into features as they are being developed, instead of identifying these issues after the feature gets deployed, can avoid costly remediation,” Marashlian says.
Compliance Challenges in DevOps Implementations
DevOps compliance is also important because it represents a continued shift in how software engineering teams interact with the rest of their organization. Just as DevOps itself aimed to break down traditional barriers between IT domains – namely, development and operations, but also functions such as security and QA. DevOps compliance similarly should ease frictions between software teams and other key stakeholders, and especially with governance, risk, and compliance (GRC) personnel.
“When it comes to changes made by engineering teams, GRC teams lack the visibility of how those changes impact their compliance posture, as the only way to get this visibility is through manual audits or automated tools that scan their production environment,” Marashlian says.
This speaks to several overlapping compliance challenges in DevOps shops: a lack of visibility, a lack of communication, a lack of collaboration, and a lack of effective technology tools – especially those that can help implement, automate, and manage a “desired state” for the company’s compliance requirements.
DevOps compliance “means giving visibility to compliance frameworks and regulatory requirements to developers in an accessible and actionable manner so that they can ensure that the organization’s business objectives around compliance are being met by their code changes,” Marashlian says.
It’s a two-way street: GRC teams also need visibility and understanding into how an organization’s software impacts its compliance posture, but in a manner that doesn’t cause friction with developers and DevOps engineers or create bottlenecks in the SDLC.
Good news: These challenges should sound familiar to seasoned DevOps pros because they’re similar to the conflicts that used to exist between Dev and Ops. DevOps practices such as shared incentives and blameless postmortems/evaluations can also be valuable here.
Automation is also huge, as it enables frequent checks that start early in the SDLC and minimize production fires later. If those fires do occur, a collaborative approach to putting them out—as opposed to finger-pointing—is crucial.
“When critical compliance issues are identified in production, GRC and Engineering teams should work together to prioritize fixes for these issues, ensuring the organization continues to meet its compliance objectives,” Marashlian says. “This helps avoid silos and facilitates closer collaboration between the two teams.”
Best Practices for DevOps Compliance
Regardless of any specific tools or other solutions you select for DevOps compliance, there are some core components and best practices to consider as fundamentals for your program. These include:
Clear rules and goals: You can’t be compliant if you don’t know what the target is. So naturally, any DevOps compliance program should start with identifying which regulations and frameworks you need or want to adhere to, and then implementing policies and tools accordingly. These can sometimes be set as “acceptable ranges,” meaning there’s a spectrum of potential acceptable outcomes for compliance checks as they run during different phases of the SDLC.
Version control: Version control systems like Git are commonly already found in DevOps toolchains. That’s a good thing because version control is largely considered a must-have for DevOps compliance as well—it’s an enabling technology for security and compliance audits, among other reasons.
Infrastructure as code (IaC): Infrastructure as code tools—or infrastructure automation—allow DevOps engineers and others to programmatically handle infrastructure management tasks such as provisioning, scaling, or configurations. This allows DevOps teams to manage infrastructure consistently and automatically, saving significant time and effort on manual, repetitive infrastructure work.
Security automation / DevSecOps: While security and compliance are typically considered separate domains, they are certainly related, especially as it pertains to data. To put the connection simply: If you’ve got security vulnerabilities in your software, infrastructure, or data, you probably also have compliance vulnerabilities as well. One way to look at DevOps compliance is that it follows a similar pattern to DevOps and security – which sometimes gets referred to as DevSecOps – in that it requires a “shift left” mindset and abandoning old paradigms where security (and compliance) was treated as a final checklist at deploy time.
Compliance processes also often intersect with various cybersecurity standards and strategies, such as access control (think MFA/2FA and role-based access control) and security frameworks such as those published by NIST or OWASP.
Compliance as Code (CaC): Compliance as Code (CaC)—sometimes called compliance automation—utilizes scripts and automation tools to mitigate the risks related to manual configuration and ensure consistency throughout an organization’s IT stack and SDLC.
CaC improves the traceability and accountability of changes made to infrastructure and software. In tandem with Infrastructure as Code (IaC), companies can achieve sustainable, repeatable, and auditable infrastructure changes that align with compliance mandates – and do the same in their software codebases.
We’ll take a closer look at some CaC tools in the next section.
DevOps Compliance Tools + Solutions
As Marashlian notes above, one of the overarching challenges of compliance in any organization is that it’s a regularly evolving landscape. New regulations and laws are passed, existing frameworks or rules change, and so forth.
That’s one of the bedrock value propositions of CaC tools. It brings greater standardization, consistency, and automation to compliance checks throughout the SDLC – while preserving a clear audit trail.
As Jim Bird, author of the O’Reilly book DevOpsSec, writes: “Standardization makes auditors happy. Auditing makes auditors happy (obviously). Compliance as Code provides a beautiful audit trail for every change, from when the change was requested and why, to who made the change and what that person changed, who reviewed the change and what was found in the review, how and when the change was tested, to when it was deployed.”
As DevOps has matured, more organizations appear to be seeing the light: Marashlian from Drata cites a recent Gartner report that predicts that “by 2026, 70% of enterprises will have integrated compliance as code into their DevOps toolchains, reducing risk management and improving lead time by at least 15%.”
Drata recently launched a CaC capability on its platform. “DevOps and GRC teams get visibility into compliance issues early in the development lifecycle, [can] easily and quickly remediate these issues in code, and [can] build guardrails to control whether code changes that impact the organization’s compliance posture are allowed to be made,” Marashlian says.
If you’re a healthcare organization looking to automate more of your HIPAA compliance, for example, you can configure a CaC tool to do so. This is similar to most other major regulations, such as SOC 2, GDPR, and ISO 27001. CaC tools can help automate the validation of different compliance standards throughout the SDLC, moving toward a continuous compliance model – not unlike continuous delivery and CD pipelines.
There are multiple other options in addition to Drata, including Vanta, Sprinto, and Scrut. Obviously, one of your basic selection criteria should be to ensure that any tool you use can support your particular compliance requirements.
Also, keep in mind that there’s a much broader menu of software tools that could reside under the umbrella of DevOps compliance: version control systems like Git, automation platforms like Terraform and Ansible, and even Kubernetes. The major cloud platforms also offer their own flavors of these and other tools.
The Bottom Line
Regulatory compliance might not make a great conversation starter at a dinner party, but it’s a must for most organizations. And compliance – especially when it comes to software applications, data, and infrastructure – is increasingly managed as code in a highly automated fashion.
What role is your DevOps playing in your organization’s compliance? Join The CTO Club’s newsletter for more industry news and discussions!