DevOps teams must develop secure software, but a key part of security is compliance. Achieving compliance can be time-consuming, stressful, and resource intensive, but it’s increasingly a job DevOps teams – and developers specifically – are being asked to bake into their processes.
Here’s a look at how compliance in DevOps works.
It starts with standards
Organizations of all sizes rely on nationally or internationally recognized standards to prove their security postures to customers, partners, and shareholders. Companies need to create systems that streamline compliance with a potentially large number of standards, such as NIST, ISO, SLSA levels, GDPR, SOX, SOC2, PCI DSS, HIPAA, and HITECH. At GitLab, we know exactly how difficult this is as we went through the SOC 2 compliance process ourselves, as well as many other compliance initiatives.
Previously, tackling compliance requirements involved spreadsheets, checklists, and cross-functional teams of people digging for data. Being certified compliant was critical to a business, but not critical enough to codify and streamline the process... and that was before the advent of the cloud where the data could literally be anywhere and everywhere.
“It's incredibly difficult to know if you’ve done the right things to stay secure and compliant, especially in an increasingly complex environment of cloud-native applications, infrastructure-as-code, microservices, and more open source components,” explains Dave Steer, GitLab vice president of product and solutions marketing.
That's where automation, cooperation, and collaboration -- and DevOps -- come in.
It’s well known how developers and security pros have struggled to find common ground around secure software development and compliance is one step further down an already rocky path of cooperation. But embedding compliance in DevOps can happen with the right mix of culture and technology. To start, it’s important to decide which standards apply to your organization and if compliance will be kept separate from security, or integrated as part of the same team. Either way, security and compliance work together by one feeding into the other. Compliance sets the parameters for meeting regulatory requirements and security executes the actions to meet those requirements.
And that’s when the fun can really begin. The “beating heart” of DevOps is automation and if ever there is a process that is crying out to be automated and literally built into DevOps it’s compliance. There are three main ways DevOps teams can streamline the compliance process:
Make compliance standards part of the CI/CD pipeline. While this might not work for every compliance requirement, it eliminates the need for a manual checklist and provides a clear audit trail and a hard stop if there’s an issue because the pipeline will fail.
Leverage containers. When teams are certain a process or technology is compliant, it can be made into a container image. Over time, these “Golden Images” as Martin Fowler refers to them can be assembled as guiding lights of compliance.
Establish a system of record, or SOR. An SOR will allow a DevOps team to track compliance just before a change is made to the code or the process.
Is your software supply chain secure?
As we continue to navigate an always-evolving modern DevOps environment, it’s important to be aware that compliance and security are coming together under one primary theme moving forward: software supply chain security.
Software supply chain security is fast becoming the compliance and security umbrella which is supported by security scanning, policy automation/guardrails, securing the software factory itself, and common controls embedded within the software factory.
Combined with continuous maintenance of compliance and security regulations, automated DevOps practices have the potential to help discover security and compliance issues faster and address threats more quickly and effectively.
It's imperative that organizations understand how to comply with required regulations. Learn how GitLab helps organizations achieve continuous compliance and about our software supply chain security direction.