Using compliance-as-code to keep up with government-led regulations

Claire McDyre, product manager at Puppet by Perforce, explains how can tech help the IT department keep up with security and compliance, while balancing limited budgets and teams.

Posted 9 August 2023 by Christine Horton

Compliance-as-code is a fast-growing area of IT infrastructure management, particularly around security and privacy, and has the potential to not only reduce risk but also mitigate the volume of manual work that usually accompanies keeping abreast of regulatory mandates. This is relevant to government departments with compliance requirements, as well as private organisations that must comply with government-led regulations.

Regulations and cybersecurity risks are rising in parallel, and compliance requirements are increasingly becoming a necessary area of focus for IT departments. However, in many instances, this focus is not translating into actions. Even after they acknowledge their role, it can be hard for ITOps teams to figure out where or when to start, especially if they are already overloaded fire-fighting other priorities.

In addition, audit work can be overwhelming, in fact more so than ever, due to shortages of skilled individuals, frequent turnover, and excessive workloads. Yet, the need to focus on creating clean audit material has never been higher, given the increasing volume of multiple regulations and the rising costs of external audits. A 2021 Gartner survey showed that 62 percent of organisations expected external audit fees to increase during that year.

Taking away the labour burden

Compliance-as-code takes a programmatic approach, ensuring that IT infrastructure is always up to date with the latest compliance policies without the need for human intervention. By automating infrastructure compliance verification and remediation, the labour burden associated with these activities is reduced, while at the same time reducing dependency on audit and security teams. Consequently, audits can be performed with greater frequency, allowing micro-adjustments to settings that experience drift. Also, taking much of the human effort out of the process improves the accuracy of evidence, which — since it is being constantly collected — makes it simpler and faster to respond to audit requests.

Compliance-as-code is repeatable and scalable. Using this approach, even large estates can constantly check and course-correct IT infrastructure and avoid non-compliance. And non-compliance means elevated risk and costs: a Ponemon study sponsored by Globalscape places the average annual cost of non-compliance at $14.82 million. Of course, changes to both servers and baselines are inevitable, and the chances are that, unless the environment is continually verified and adjusted, it will quickly fall out of compliance.

Core components

Three core components of compliance-as-code are: defining compliance policies as written computer code, the inclusion of compliance checks into every step of the software delivery lifecycle, and implementing model-driven automation to prevent configuration drift. Examining each of these in turn, most infrastructure requirements of a compliance policy can be turned into code, for example, minimum password length or firewall configuration. This, in turn, is called policy-as-code and effectively automates traditionally manual steps, such as testing, remediation and enforcement.

Integrating compliance checks into the software delivery lifecycle is the second and vital step since IT compliance is often viewed as a barrier to rapid software deployment. Even though DevOps and continuous integration/continuous delivery (CI/CD) have improved software agility, compliance checks tend to take place towards the end of development, involving various manual tasks. Consequently, should a violation be detected, this leads to rework and hence a delay. Plus, finding and fixing problems later in the development process typically costs more than those addressed earlier.

Instead, compliance-as-code brings checks into the initial design phase, and by running scans in development and test environments, issues are exposed sooner: it is much easier to work with a known requirement rather than re-architecting finished software. Imagine constructing a whole house and finding that the foundation does not comply with building regulations.

Model-driven automation

Next, model-driven automation eliminates configuration risk, helping to remove compliance chaos by using technology to enforce policy so that systems are always in what is known as their ‘desired state’. With model-driven automation, discrepancies are detected and remediated, even on a vast, complex, diverse scale. For instance, with a mix of hundreds of Windows and Red Hat Linux servers, with each operating system (and even OS version) needing to conform to a set of regulatory requirements, it quickly becomes a very unwieldy environment to manage.

Model-driven automation overcomes this challenge by applying policy requirements at the server level. When future adjustments are needed, the code is simply deployed instead of someone having to touch every machine manually (both virtual and physical). As a result, IT teams can be confident that they are meeting compliance requirements without the soul-destroying hours of toil that would otherwise be incurred, the disruption that a significant issue or oversight can create, and the knee-jerk response that often accompanies an infrequent security scan. Finally, when audit time comes, the burden of generating evidence of compliance is significantly reduced, avoiding yet another common headache for the IT department.

The volume of regulatory requirements shows no sign of slowing down. Already, apart from the GDPR, there is also the recently revised Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA), and for organisations wishing to work with specific government departments, the UK Cyber Essentials. Europe has the EU Cybersecurity Strategy and EU Cybersecurity Act. Simultaneously, cybercrime is increasing in both frequency and sophistication, so privacy and security must be prioritised across every part of an organisation, including its technology infrastructure. Now is the time for IT departments to take a greater role in compliance, and — with compliance-as-code — this can be achieved efficiently and with minimum impact on team workload.