kras99 -

Blue chips hone continuous compliance as GRC pressures mount

The concept of continuous improvement has found its way into IT governance, as companies such as Fannie Mae, JPMorgan Chase and John Deere embrace continuous compliance.

It's not enough anymore for highly regulated companies to wait for audits to uncover security and governance issues, or to get auditors' periodic rubber stamp on their IT operations.

Instead, as security breaches continue to plague the IT industry, governance, risk and compliance (GRC) departments at mainstream companies have begun to embrace the Lean methodology concept of continuous improvement. With this approach, dubbed continuous compliance, enterprises use compliance automation to enforce governance policies at scale, and to gather up-to-the-minute data on whether the organization is truly secure.

"Compliance is the byproduct of a secure and resilient organization," said Carl Kubalsky, business information security officer in the intelligent solutions group at machinery manufacturing company John Deere, during a panel presentation at the recent AWS re:Inforce conference in Boston. "I would love to see us make compliance just a thing that happens automatically, and obviously we get alerted when it's not there."

Other panelists said continuous compliance requires even broader collaboration and information sharing across their companies than the cooperation between technical teams under DevSecOps.

We are going to continue to find new security weaknesses as we deploy new services and new configurations. As we do that, how do we quickly introduce that [information] back into the software delivery lifecycle?
Nick MistryVice president of cloud security, vulnerability management and DevSecOps, Fannie Mae

"We're shifting [to] a mindset where compliance is the bare minimum, but we're here to secure our organization," said Nick Mistry, vice president of cloud security, vulnerability management and DevSecOps at financial services company Fannie Mae, during the panel session. "We are going to continue to find new security weaknesses as we deploy new services and new configurations. As we do that, how do we quickly introduce that [information] back into the software delivery lifecycle?"

This requires breaking down traditional observability divisions between security and DevOps teams, Mistry said, but also between GRC teams and the rest of the IT organization.

"We have an internal organization that does compliance checks, and [we get], 'Well, that's their job,'" Mistry said. "No, you're the security expert -- that's your job. Everybody has to be focused on security in all matters."

Continuous compliance, like DevSecOps, is also meant to be proactive in identifying potential problems. In addition to tests in the DevOps pipeline that seek to prevent non-compliant code from being deployed, John Deere uses AWS Event Response Orchestration (AERO), a utility designed by AWS professional services in 2019. AERO searches out and kills deployed workloads that violate policy.

"Rather than wait for an audit to come up, AERO is looking for things we wouldn't expect to see in our environment," Kubalsky said. "There's still some room to grow in both AWS capabilities and our own to prevent it from being created, but if it is created, we want it to get hammered out."

Continuous compliance rises along with cybersecurity threats

Cybersecurity has become a white-hot issue in recent years -- particularly during the past 18 months, following fresh regulations governing software supply chain security and zero-trust architecture among federal government agencies, issued via presidential executive order in May 2021. In the private sector, major security incidents with far-reaching implications such as the SolarWinds attack and Log4j vulnerability have also renewed the industry's sense of urgency around security.

In the meantime, the adoption of cloud computing and continuous delivery, especially among teams that now often work remotely, has created a need for more sophisticated compliance automation. But most organizations have some catching up to do, according to a March survey of 304 IT professionals by Enterprise Strategy Group (ESG), an IT research and advisory firm.

"The amount of sensitive classified data in public clouds is expected to nearly double over the next 24 months, yet more than half of organizations believe notable portions of their sensitive data stored in public cloud services is insufficiently secured," ESG's survey report states. "Compounding that is the fact that nearly two-thirds of organizations report that they have lost public cloud-resident data or suspect they have."

The frequency of audits has also increased, according to ESG. Only 13% of respondents said they hadn't been audited by a regulatory agency in the last three years; 83% indicated they'd undergone at least one audit in that time frame and nearly one in five respondents said their company was audited more than 10 times.

Enterprise companies are also under business pressure to keep up with disruptive competitors born in the public cloud that may not be as heavily regulated.

"Fintechs don't really build things that have to do with the regulatory aspects of a bank," said James Reid, CIO at financial services firm JPMorgan Chase & Co., during the panel session. "For us to keep up, we need to get really good at continuous audit and compliance so that we can level the playing field."

re:Inforce continuous compliance panel
Nick Mistry of Fannie Mae (left), James Reid of J.P. Morgan Chase and Carl Kubalsky of John Deere discussed continuous compliance in an AWS re:Inforce panel session moderated by Nandini Ramani, a vice president at AWS, recently in Boston.

AWS continuous compliance wish list: App recipes

All the panelists said they'd like to see AWS offer more varied types of guidance on how to securely construct applications and associated infrastructure for hybrid as well as public cloud deployments.

AWS has high-level guidance in its Well-Architected Framework, which includes a section on security governance. AWS and partners also offer Blueprints, portfolios of tested and validated AWS services and third-party applications, via AWS Distributor partners.

However, users such as Reid said they'd like more flexibility -- step-by-step guidance and recommendations similar to a recipe, where Blueprints "represent the cooked meal."

"I see recipes as Gang of Four software design patterns, which a company can implement themselves, versus Blueprints, which are the actual implementation," Reid said in an online interview following the re:Inforce panel session.

AWS offers patterns within its Prescriptive Guidance documentation for how to use its security, identity and compliance services, but Fannie Mae's Mistry said he'd like to see recipes that encompass all the parts of the app and infrastructure, both pre- and post-deployment.

"How do we take provable declarative statements [about security] and make them from the beginning, starting with [app] design, to the actual provisioning and the capabilities that obviously validate it once it's deployed?" he said. "Maybe that's where the recipes come into play -- how do we take care of all of the stack, all the way from left to right?"

John Deere's Kubalsky added that he'd like to see this guidance become a built-in part of AWS services, to be used at developers' discretion.

"Where we're headed is more prescriptive guidance from AWS, codified into the tools themselves, with knobs and dials that our teams can use to automate a truly resilient environment that meets the needs of the business and enables engineers to run quickly," he said.

Kubalsky said he'd also like to see a direct replacement for AERO, which AWS has discontinued. AWS users can put together their own replacements using services such as AWS Lambda, Step Functions or Systems Manager, as well as tools such as Security Hub Automated Response and Remediation (SHARR), Prescriptive Guidance for automated incident response, and the forensic framework. They can also work with AWS Professional Services or AWS IT consulting partners, but an AWS spokesperson did not say whether a direct AERO replacement is in the works. 

AWS officials did not respond to a request for comment on more holistic recipes for security, but Amazon CSO Steve Schmidt said during re:Inforce that more customers have been asking AWS for prescriptive security guidance.

Enterprise Strategy Group is a division of TechTarget.

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center