We are in the midst of a dramatic shift toward automation as a society. Cloud computing is no exception.
While automated pipelines for continuous integration and delivery/deployment (CI/CD) have been around for a while now, compliance remains dominated by PDFs, screenshots, Microsoft Word and Excel. Point-in-time audits review system risk annually and monitor for changes at most on a month-by-month basis.
“Shifting left” is as much a mentality shift as it is a literal shift. It means moving as much control implementation and validation to automated pre-production CI/CD pipelines rather than focusing primarily on auditing the production environment at a single point in time. It also means integrating compliance validation from the bottom up, at the machine level, instead of validating compliance from the top down.
1 – With Infrastructure as Code (IaC) Comes Compliance as Code
Today, organizations can efficiently create and maintain secure cloud by incorporating IaC into their CI/CD pipelines. Baking compliance into IaC just makes sense. Using OSCAL, organizations can implement compliance as code in the same way they currently are leveraging IaC.
Specific configuration settings and benchmarks that meet control requirements can be applied and validated for each individual component within a system inventory upon initial generation of that component. The component may then be monitored continuously for drift.
On-demand outputs can continuously provide compliance artifacts, and may also be shared via APIs to Governance, Risk, and Compliance (GRC) tools that support OSCAL, as well as with auditors and authorizing officials. Adopting a Compliance-as-Code approach will:
- Save enormous amounts of time and money.
- Increase accuracy and transparency by providing evidence of control implementation directly from machines, rather than depending on human interpretation.
- Empower decision makers to quickly understand and measure vendor risk based on the same risk metrics their own organization is being measured against.
- Increase visibility into risk by facilitating the use of Artificial Intelligence based aggregate analytics on large sets of structured compliance data.
Need another reason to adopt a compliance-as-code approach? The FedRAMP Program and other U.S. Government entities have strongly signaled that OSCAL will become the required format for compliance validation deliverables.
2 – Security Improves When Compliance is Baked Into IaC
The 2020 SolarWinds hack was especially devastating because many of SolarWind’s customers were pulling patches directly from the vendor repository without validating that the source code was secure. When the SolarWind’s repository was compromised, it became a proliferator of malware that was digitally signed and therefore treated as legitimate. What was worse is that SolarWind’s product, Orion, was itself a security tool.
Organizations leveraging SolarWinds could have avoided compromise by implementing a robust security and compliance validation process in CI/CD. How does compliance baked into IaC look in practice? Many NIST 800-53 controls can be baked into CI/CD pipelines. Just to name a few:
- Leveraging IaaS vendor provided compliant architectures such as AWS conformance packs (PL-8)
- Hardening environments based on DISA STIGs or CIS benchmarks (CM-6)
- Performing Static Code Analysis (SCA) and Static Application Security Testing (SAST) (SA-11)
- Performing Dynamic Application Security Testing (DAST) in a staging environment (RA-5)
- Container registry and image scanning in CI/CD (RA-5)
- Automated gates to restrict deployment for insecure components and monitor drift (CM-6, RA-5)
- Detecting supply chain risks and generating Software Bill of Materials (SBOM) (SR-3, SR-10, SR-11)
Automating validation of these processes is where OSCAL comes in. Many widely used virtualization and security tools have embraced OSCAL, making it easy to align compliance validation with security. Additionally, automation around change control may be baked into CI/CD as well.
Learn more: Three Actions Your FedRAMP Cloud Offering Needs to Take Right Now to Implement Effective Change Control
3 – Control Mapping Between Compliance Frameworks Becomes Frictionless
A major challenge for organizations is the sheer number of compliance frameworks that are required in order to access regulated markets. U.S. Federal Civilian agencies, Department of Defense, Intelligence Community, and State Governments all have unique requirements. Multinational companies must deal with each country’s regulatory requirements. Additionally, certain sectors have their own unique requirements.
Organizations that implement OSCAL-based compliance as code can rapidly demonstrate compliance with multiple frameworks. Defining the scope of a cloud offering or managed service within a broader organization that caters to unique and highly regulated customer bases becomes dramatically easier. Pre-defined organizational components may be included within specific authorization boundaries and excluded from others.
Compliance frameworks based on NIST 800-53 or 800-171 are already compatible with OSCAL (FedRAMP, DOD SRG, CMMC, StateRAMP, TX-RAMP, CJIS, etc.). Compliance with U.S. Public Sector requirements that focus on specific areas such as NIST SP 800-218 Secure Software Development Framework (SSDF) can be efficiently incorporated into the holistic compliance as code approach.
Additionally, many international frameworks have adopted OSCAL, making complying with multiple frameworks as straightforward as applying defined business logic to existing data. The Center for Internet Security (CIS) has released an OSCAL repository for their Critical Security Controls, the Australian ISM has released a mapping to OSCAL, the Cloud Security Alliance CCM has a mapping, Japan’s ISMAP is working on a mapping, and more are on the way.
Learn more: Guidance for Going Global — How to Approach Global Cloud Compliance Standards
It’s time for organizations to move away from manual “top down” approaches to compliance and instead adopt a “bottom up” approach by baking OSCAL-based compliance as code into your organization’s automation efforts. For more information on how 38North Security can empower your organization to incorporate compliance as code into your automation pipeline, please reach out!