Compliance as code: the “Grammarly” of compliance for DevOps 

Security policies and compliance requirements are typically blockers to innovation and streamlined production. Adam Markowitz at Drata examines what ‘shift left’ means in practice when it comes to compliance

 

Although compliance can be a burden, automated control monitoring and evidence collection can ensure compliance from code to production. Think of it as Grammarly for compliance: just as Grammarly guides writing, a shift left approach guides development, speeding compliance processes five-fold.

 

Security policies and compliance requirements can often act as obstacles to innovation and streamlined production, with DevOps, GRC, and software engineering teams trapped in a reactive cycle, scrambling to address compliance irregularities usually after a code or cloud configuration change has been deployed to production.

 

This issue is exacerbated by the fact that, as companies grow, businesses are unknowingly introducing new compliance gaps every day.

 

Shifting left

For many DevSecOps and GRC teams, compliance has become an endless cycle of fixing issues and unfortunately just reintroducing them as they try to remain compliant with relevant industry guidelines and regulatory frameworks. But there is another way, and that’s the use of automation to address compliance earlier in the software development lifecycle (SDLC) - in other words, shift left.

 

Shift left compliance enables this transformation, empowering DevSecOps, GRC, and software engineering teams to identify and remediate potential compliance violations during the code development process.

 

A shift left approach is not new. The practice of shifting left was born in 2001 when the term ‘shift left testing’ was officially named by Larry Smith, in the Dr. Dobbs Journal. Its benefits for detecting and mitigating threats as early as possible and for those attacks that target development tools and apps in the Cloud has led to this approach being highly valued by the DevOps community. 

 

Adopting the shift left approach for regulatory compliance gives DevOps teams the ability to test code automatically as it is being written. 

 

It also enables developers and engineers to learn best practices by reviewing risk alerts mapped directly onto frameworks and policies. These alerts give GRC teams a human component in the remediation loop, ensuring fast and accurate resolution. Thus, what might have taken hundreds of hours of manual intervention and review has been reduced to mere minutes through continuous monitoring, notification, and remediation.

 

Built-in, not bolt-on

A shift left compliance approach should constantly scan for cloud infrastructure risks specific to frameworks and regulations such as SOC 2, ISO 27001, and GDPR, among many others. By building from the ground up with automated compliance, it is a top priority, not a bolted-on afterthought.

 

That means organisations get the relevant context on how specific infrastructure as code changes might introduce risks and affect their security and compliance posture, helping developers make improved compliance-related decisions.

 

Significantly, this built-in, guided approach makes shifting left effortless, despite the inherent culture changes involved. Instead of blockers, slowdowns and tension, GRC teams can enjoy an automated system that provides control-based guardrails based on utterly transparent reasoning.

 

Continuous GRC monitoring

As well as contextualising compliance risks in pre-production, a shift left compliance approach also aligns with the idea of continuous compliance, helping improve visibility significantly. This means that businesses have real-time access to their risk and compliance posture via automated tests and evidence gathering. By detecting non-compliance threats before code goes into production, the impact and likelihood of any compliance violation is minimised.

 

Relieving cyclical gap

When a compliance gap is detected, organisations can address it immediately – even automatically. Because developers receive feedback during the development process, they can rectify issues quickly and minimise the chances of cyclical gaps persisting over time.

 

The shift left compliance approach also ensures that policies are consistently applied across different environments, such as development, staging, and production. This consistency reduces the risk of gaps arising due to any possible variations between environments.

 

Collaboration between teams

Traditionally, security engineers would act as the middleman. GRC teams would identify a failed check or control issue and bring it to the security team to get a fix. The security team would then work with the DevOps team to implement the solution.

 

This shift left approach to compliance, however, begins with the DevOps team getting an alert and only relying on the security team if additional advice or support is required. This empowers GRC and DevOps teams to collaborate and resolve issues faster, and in real time. That means fewer blocks and happier teams all around.

 

Breaking down silos

This approach plays a crucial role in breaking down infrastructure and compliance silos by integrating compliance practices directly into the SDLC. By codifying infrastructure and policies, teams can ensure that compliance standards are consistently applied across different environments. Compliance is integrated from the outset so there is reduced demand for manual audits.

 

Ultimately, collaboration between development, security, and compliance teams becomes essential. Silos are broken down as everyone works toward common goals, bridging the gap between infrastructure and compliance functions.

 

Compliance for the future

A shift left compliance approach sets out a bold roadmap for the future. It is a powerful method that boosts resilience and adaptability by enabling organisations to adjust to new regulations, industry standards, and internal policies. By embedding compliance checks and automated remediation capabilities directly into the production process, issues can be swiftly resolved without disrupting workflows.

 

That makes this new consistent and efficient approach to compliance a game changer for companies of all sizes. An integrated, automated way of handling critical compliance demands is needed, streamlining internal resources and speeding resolution five-fold. A shift left compliance approach is the road forward. 

 

---

 

Adam Markowitz is CEO and Co-Founder of Drata

 

Main image courtesy of iStockPhoto.com and GOCMEN