Cloud Security Alliance releases guidelines to bridge compliance and DevOps
The challenge of integrating security compliance activities into software development is well known – compliance teams want controls in place, but many DevOps engineers believe the proof is in the code, not the process. or in its documentation.
Although DevSecOps practices can help connect compliance and development and improve overall security while reducing the effort to validate compliance with security objectives, they can vary across organizations and industries.
To bridge the gap between compliance and development, the Cloud Security Alliance (CSA) recently released a report that provides guidance to help organizations translate compliance goals into security measures and identify where security controls can be integrated, automated, measured and tested.
The report is the third in a series of reports detailing the six key focus areas for embedding DevSecOps in an organization.
“The increasing speed and frequency of deployments in application development today demand a solution that is both efficient and more automated, but without compromising security and quality,” said Roupe Sahans, lead author of the report. .
In its document, the CSA grouped its guidelines into three main areas: assessments to assess the maturity and effectiveness of DevSecOps processes and controls; have the right mindset in the DevSecOps transformation; and tools to implement controls and security measures.
When evaluating software deployment processes, CSA emphasized the need to have shared responsibility with cloud service providers in implementing security controls: “When an organization combines compliance objectives to security requirements, it is essential to understand the responsibility of the cloud customer given his choice of solutions and technologies.”
Security tools, he added, must align with technologies such as containers, virtual machines and the configuration state of cloud platforms. Organizations and their cloud providers must also agree and document their shared responsibilities in a service level agreement.
Regarding tooling, CSA called on organizations to adopt as-code infrastructure to eliminate manual provisioning of infrastructure. They can do this through services like AWS Cloud Training or features like Chef, Ansible, and Terraform, paving the way for automation, version control, and governance.
Organizations can also establish guardrails to continuously monitor software deployments to ensure alignment with their goals and objectives, including compliance. These guardrails can be represented as high-level rules with detection and prevention policies.
Guardrails can be implemented as a means of reporting compliance, such as the number of machines running approved operating systems (OSs), or as remedies for non-compliance, such as shutting down machines running OSs. not approved.
With a tendency to address risk directly through tools, organizations can easily overlook the importance of having the right mindset in DevSecOps transformation. CSA defines mindset as the means to bring security teams and software developers together.
This can include activities such as “value stream mapping” which identifies teams, timelines and turnaround times to understand how an idea ultimately leads to a customer outcome. This will identify security involvement through manual and automated activities.
Compliance goals could also be incorporated into security measures that developers could use and implement, while methods to track and maintain control of developer activities without hampering productivity could be adopted.