Managing regulatorycompliance in DevOps

WorldAnurag ShrivastavaDevOps Transformation LeaderNN Group

1

ABOUT ME

https://www.linkedin.com/in/anurag2201/

2

WHAT IS COMPLIANCE?

1. Level 1 - compliance with the external rules and laws that are imposed upon an organisation as a whole

2. Level 2 - compliance with internal systems of control that are imposed to achieve compliance with the externally imposed rules.

Source: https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/

4

WHAT IS REGULATION?

The term ‘regulation’ generally refers to a set of binding rules issued by a private or public body with the necessary authority to supervise compliance with them and apply sanctions in response to violation of them.

Source: https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/

5

THE CORE OBJECTIVES OF REGULATION

The protection of investors/consumers

Ensuring that the markets are fair, efficient and

transparent

The reduction of systemic risk

The reduction of financial crime

The maintenance of consumer confidence in

the financial system

6

REGULATIONS ARE HEADACHES

8

WHAT IS DEVOPS

1. Flow

2. Feedback

3. Experimentation

Source: https://blog.amplexor.com/enterprisecontent/en/devops-and-why-it-should-matter-when-selecting-your-technology-partner

9

DEVOPS

10

WHY??

Security matters because security affects the bottom line. It's about sales, support and acquisition.

Hack and security breaches lead to negative press, and customers need to know their information is safe with you, if they're to be customers at all.

Failed security compliance means fines, imprisonment and bad publicity.

11

COMPLIANCE IN THE EYES OF DEVOPS TEAM

12

DEVOPS TEAM IN THE EYES OF COMPLIANCE OFFICER

13

TO ERR IS HUMAN – ENGINEERS ARE HUMANSTOO. FOR EXAMPLE:1. It's too easy to ship bad code, so then bad

things happen.

2. It’s easy to forget about back-up and restore when under pressure.

3. It’s easy to forget encrypt data in transit.

4. It’s easy to push incomplete deployment package in production.

5. It’s easy to skip periodic DR tests

14

PROMISE OF DEVOPS

Speed of DeliveryCD

Eliminate Waste YAGNI

Fast feedback for BusinessMVP

15

DEVOPS IS ABOUT RELEASING CODE IN PRODUCTION SEVERAL TIMES PER DAY

Compliance should notbe a blocker

16

TREACHROUS 12: CLOUD VULNERABILITIES1. Data Breaches

2. Weak Identity, Credential and Access Management

3. Insecure APIs

4. System and Application Vulnerabilities

5. Account Hijacking

6. Malicious Insiders

7. Advanced Persistent Threats (APTs)

8. Data Loss

9. Insufficient Due Diligence

10. Abuse and Nefarious Use of Cloud Services

11. Denial of Service

12. Shared Technology Issues

Source: https://www.welivesecurity.com/2015/04/28/curious-case-ex-hacker-banned-internet/17

WHERE DOES COMPLIANCE FIT?NFR (Non-Functional Requirements) & Compliance•Availability (e.g. 24x7x365)

•Capacity (planned)

•Compliance (legal and/or regulatory)

•Efficiency (resource consumption)

•Interoperability (inter-system data exchanges)

•Performance (response time)

•Portability (cross-system functionality)

•Resource usage (processor, memory, disk space, network bandwidth, etc.)

•Scalability (user count and data volume growth)

•Security (e.g. login, encryption)

18

We can realize the promise of DevOpsand stay compliant.

We must be compliant &We need DevOps.

19

COMPLIANCE, RISK & SECURITY IN THE DEVOPSWAY Shift Left

Democratise the Compliance

Compliance as Code

Prefer Automation

Segregation of Duties

Training and Education

Definition of Done

20

SHIFT LEFT

Picture Source: https://www.gocd.org/2017/03/01/importance-and-principles-of-cd-pipelines.html

21

SHIFT LEFT

1. Think about compliance in the early sprints when architecture decisions are made

2. Consider compliance needs during user story refinement sessions

3. Think about compliance in the user acceptance criteria of user stories

4. Think about compliance user stories

22

DEMOCRATIZE THE COMPLIANCE

Picture Source: http://kimedia.blogspot.nl/2014/08/democracy-from-past-to-future-extract.html23

DEMOCRATIZE THE COMPLIANCE

1. Often compliance is proven on ugly Excel sheets which nobody likes to maintain

2. Compliance officers are limited in numbers servicing large number of teams

3. Have simple tools which everyone can use

4. Tools should be web-based or app based requiring minimum training

5. Tools should have a workflow to enable easy tracking and tracing of request

6. Tools should have API to integrate with CI/CD Pipeline

Picture Source: http://kimedia.blogspot.nl/2014/08/democracy-from-past-to-future-extract.html24

COMPLIANCE AS CODE

25

COMPLIANCE AS CODE

1. Moving away from manual inspections andsign-offs to automated evidence

2. Infrastructure as a Code

3. VM, Middleware and Database built usingzero touch CD Pipeline

4. Prove compliance using automated tools

5. Code is always version controlled, modified using four-eye principle

26

PREFER AUTOMATION

27

PREFER AUTOMATION

1. Identify compliance integration points in yourDeployment Pipeline

2. Integrate various compliance tools using APIs in your Deployment Pipeline

3. Deployment Pipeline workflow make decision ifa change is compliant before it goes intoproduction

4. Initially decision points could be manual action but aim for more and more automation

5. Use deployment pipeline logs as the evidence.

28

SEGREGATION OF DUTIES

29

SEGREGATION OF DUTIES

1. Segregation of duties but not segregation of engineers

2. Giving limited read access to people in development role to production logs

3. Operations people get limited read-only access to source code repos

4. All commits in the source code repository have gone through peer review process enforced by a tool

5. Deployable artifacts once created can not be tampered further in the process

6. Operations involved in the sprint planning process

7. Deployments to production must be approved by the Asset Owner or the PO

30

TRAINING AND EDUCATION

1. New tools require education andpractice

2. Broadening of individual skills in unwanted dimensions

Compliance officers learn to read code and logs

Developers learn to do IT security risk assessment

31

DEFINITION OF DONE – SCRUM GUIDE1. If the definition of "Done" for an increment is part of the conventions, standards or

guidelines of the development organization, all Scrum Teams must follow it as a minimum.

2. If "Done" for an increment is not a convention of the development organization, the Development Team of the Scrum Team must define a definition of "Done" appropriate for the product.

32

GLOBAL DOD FOR ORGANIZATIONGlobal DOD contains three kind of checks Periodic checks Such as network vulnerability scan

Definition of Done Such as test coverage

Definition of Shippable (undone work) Such as CMDB is filled correctly

Global DOD covers KCT-Sox Controls

Enterprise Architecture Requirements

Engineering checks

Change Management and SLA

33

GLOBAL DOD

1. Good starting point for devops teams

2. Pre-agreed with ORM and CAS departments

3. Any deletions must be pre-agreed

4. Any additions are permitted as long as they are non-conflicting

5. As team matures in CI/CD DoD DoS

34

GDOD – RESPONSIBILITY & ACCOUNTABILITY

Who verifies the adherence to the GDOD of the releases? DevOps Team verifies the adherence to GDOD for each sprint and release

The accountability to ensure the adherence lies with the IT manager

Who is responsible for GDOD compliance evidence? DevOps team is responsible, and the IT manager of the team is accountable.

DevOps team is responsible for writing and executing tests, and archiving the logs for evidence

35

COMPLIANCE AND DEVOPS

1. DevOps has marginal benefits if your compliance suffers because of it

2. Compliance should be more accessible to IT

3. Automation and Shift left is the key to flow and feedback

4. Compliance officers are more open to adapt and learn than what a typical IT person would think

36

ANURAG SHRIVASTAVAAsk me anything about Agile, DevOps and Software Developmenthttps://www.linkedin.com/in/anurag2201/

37