Compliance as Code: Security in a world where the pace of change keeps increasing

By Steve Gallacher, Principle Consultant, Servian

April 6th, 2020

How have things changed?

Over the last 20 years, we have seen many changes in IT delivery circles: 

  • On premises > Cloud
  • Thick client to web first > mobile first
  • Monolithic applications > enterprise service bus > orchestrated microservices

Security groups are struggling to keep up and the resolution requires flipping the traditional engagement model on its head.

If you’ve worked in enterprise IT for any period of time, you’ll have run into a conversation along the lines of “Oh, we can’t do that, we have to wait until security is engaged and get their approval”. This was something that was relatively feasible in an annual or even quarterly delivery model, but when you have intra-day deliveries, a security architect simply cannot be engaged full-time for anything but the largest projects.

One answer to this problem is:

Compliance as code

Learn how to layer in security to your cloud approach

Our whitepaper guides you on how to provide a safe and secure heterogeneous cloud operating model whilst remaining cost-effective and agile.

Compliance as code means moving from spreadsheets filled with compliance questionnaires that are point-in-time reflections of a project. Instead, we can move to giving developers agency and power to proactively include security controls from day one, providing more control for project teams in their timelines and ongoing project management.

Compliance as code is part of the “shift left” paradigm that collapses the feedback loop, and enables development teams to identify and resolve issues quickly.  Optimally built into the development cycle, compliance as code quickly informs the development team of issues, enabling them to maintain a security posture whilst delivering at speed.  It provides the Actionable Insights to the development team, without burdening them with all the necessary education to remain current with the changing threat landscapes and Infosecurity requirements.

Servian recently built out a compliance as code solution for a major retailer. By actively demonstrating to the security team exactly how and where the central controls had been implemented and providing reporting against every build, we were able to show compliance had been maintained.  As the project evolved, the changes over time were reflected through automated real-time reporting, substantially reducing the demands on security architecture and a faster time to market. Result.

If you’re interesting in learning more about out approach to compliance as code, please reach out.