This post originally appeared on DevOps.com.
If you google a term like “software compliance,” you’ll be met with a seemingly endless lineup of blog posts, how-tos and explainer articles promising to tell you everything you need to know about writing and deploying software in a compliance-friendly manner.
Some of those are good resources, especially the ones that delve into meeting specific compliance requirements associated with specific regulatory frameworks. (Articles that make generic recommendations like “secure your data!” are less helpful, but I digress.)
In this article, I aim to contribute something new to the conversation about software and compliance, especially as it relates to modern, containerized, microservices-based environments. I’m not going to rehash all of the existing content about compliance best practices. Instead, I’d like to offer a new way of thinking about how you actually build compliant applications — by taking a DevOps approach to compliance.
What does that mean, exactly? Let me explain.
Why DevOps Compliance?
I know — When you hear a term like DevOps compliance, your first thought is likely, “Well, there’s another meaningless buzzword.”
But when I use that term, I’m thinking about much more than marketing hype. I’m referring to the actual practice of using DevOps processes as the basis for building compliance into your applications.
I’ll explain what that looks like in a moment. For now, let me explain why the concept of DevOps compliance matters.
The main reason is that this concept drives home the truth that in order to create compliant applications, you need to make deliberate design decisions and follow specific processes for implementing them. This is what makes the concept of DevOps compliance, as I’m presenting it here, different from typical recommendations for achieving software compliance. Instead of treating compliance as something that you worry about once your application is written (or as a process that lives in its own silo, if you want to describe it in DevOps-y terms), the innovation behind DevOps compliance is to bake the compliance process into the rest of the software delivery pipeline, ensuring that the software that’s created is secure from the beginning of the development process.
Implementing DevOps Compliance
What does DevOps compliance look like in practice? How do you actually bake compliance into a CI/CD pipeline?
Involving everyone in compliance
For starters, you ensure that everyone who plays a role in software delivery understands what compliance means and which specific compliance requirements affect the software they are building. This is not often the case by default. Typically, compliance is something that your lawyers and security team know about, but not something your developers, software testers or IT Ops team members spend much time studying.
In order to do DevOps compliance, that has to change. Your engineers need not become compliance experts, but they need visibility into the specific compliance challenges that they must meet. They must also understand how those challenges change — as they frequently do, because compliance frameworks have a tendency to be updated regularly.
Tracking compliance across the CI/CD pipeline
Second, achieving DevOps compliance requires implementing processes that allow you to verify and vet the state of compliance at all stages of the software delivery process. When developers are designing new code, they should be thinking about how that code can be compliant. When the QA team is testing the code, they should verify that it meets compliance goals. And when IT Ops deploys the code, it should monitor it to ensure that it is actually fulfilling compliance needs in production.
A third key process to implement is auditing across the software delivery lifecycle. While the precise reporting and auditing requirements of software vary from one compliance framework to another, it’s a best practice to make sure that you are logging and able to report compliance-related data.
The problem many organizations run into is that they think about the auditing challenge only when software is in production. To do DevOps compliance, you should be baking auditing into all stages of the CI/CD process by collecting data that demonstrates how you are working to meet compliance goals, and that measures your success in achieving them. This practice ensures that if something goes wrong with compliance, you have full visibility into where the issue originated and how to fix it, which are important considerations for meeting compliance challenges successfully.
Ideally, you’d never make a compliance mistake, but in reality, you probably will sometimes experience oversights. When they happen, it’s much better if you know exactly what went wrong and can quickly develop a plan for fixing it. That not only helps you avoid repeating the same mistake — it can also help keep regulatory authorities happy. They tend to be more forgiving of compliance errors if you can show proactively (using your own auditing data) that you know what went wrong, and how you are going to fix it.
Compliance is not something that most developers or Ops engineers enjoy thinking about. In fact, it’s something that many of them don’t think about at all, and that’s a problem. But as software-related compliance challenges grow increasingly more complex, and as the consequences of non-compliance grow ever greater (both in terms of regulatory fines and a loss of reputation in the eyes of customers), compliance is something that all participants in the CI/CD pipeline should be supporting. They should be doing so at all stages of the software delivery process, and in a way that maximizes visibility into compliance efforts via a clear auditing trail. That’s what DevOps compliance looks like.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
2019 Gartner Market Guide for CWPP: What You Need to KnowRead the Blog
Key Differences in Security, Management for Serverless vs. ContainersRead the Blog
Docker vs. KubernetesRead the Blog
How Cloud Workload Protection is Different than Application SecurityRead the Blog
Zero-Trust Security: What It Means and How to Achieve ItRead the Blog