How automation aids policy compliance in DevSecOps
Compliance — it’s both a challenge and an essential confirmation of quality controls within the new DevSecOps methodology, according to a new white paper from Sogeti and Microsoft.
The paper ‘6 tips to integrate security into your DevOps practices’ argues that increasingly rigorous regulatory regimes demand both policies and an automated approach to adhering to them. In a series of blog posts, we’re giving you a flavor of all 6 tips, including Tip 5: Realize compliancy with policy automation.
Managing compliance audits
DevSecOps is fast becoming the next logical evolution of DevOps. Compliance is integral to this new iteration of DevOps yet ensuring compliance across a burgeoning application landscape isn’t easy. In fact, one report cites CISOs as spending 30% or more of their time dealing with compliance issues due to the exhaustive and time-consuming nature of compliance audits.
So how can you harden security and address compliance at the same time? In 6 tips to integrate security into your DevOps practices, Microsoft and Sogeti suggest that IT leaders should establish policies that relate to their enterprise’s regulatory and compliance requirements, industry standards, and organizational goals. This will ensure that when an audit occurs, security compliance is never in question. When done correctly, these policies offer a set of controls to your DevSecOps teams — ensuring security vulnerabilities are monitored and remedied at every stage of the application development and management (ADM) cycle.
6 steps to policy automation
This continuous compliance builds on the belief that security should begin in the early stages of the development lifecycle. This is reflected in the following six steps for realizing continuous compliance with policy automation, which are based on Microsoft Azure.
- Determine your policy set — what policies do you want to use that might be specific to your sector?
- Adopt a policy-as-code model — store your policies in a code repository, enabling you to export and version control them
- Update policies in code and push to Azure — configure this action to automatically trigger when policies are updated
- Close the loop with compliance scanning — cloud services are constantly spun up, so run on-demand evaluation scans against your cloud environments
- Shift left using a quality gate — teams across the enterprise can understand, validate, and test policies against code even earlier in the software lifecycle
- Use Azure Security Center to monitor and observe — real-time compliance telemetry is extremely helpful when an auditor wants to see the current state of a subscription
Closed loop automation
Tip 5 explains how these six steps enable closed loop policy automation, where compliancy is continuously monitored and aligned with all changes, at any time. This is important when you consider that, in some cases, a system life can extend for many years. This makes policy non-conformance inevitable, often due to the evolving regulatory landscape. However, you can ensure that all workloads and applications remain compliant by leveraging cloud providers’ policy best practices to act as guardrails — and by continuously monitoring this compliance.
Download the white paper 6 tips to integrate security into your DevOps practices.