Chapter 7. Compliance as Code

Compliance is a key concern for security functions across the world, as businesses need to operate within certain regulatory frameworks or are looking to enforce industry best practices as a standard.

With the speed of modern technical delivery, and the possibilities the cloud unlocks, compliance has become both harder and easier at the same time. This is the paradox at the heart of cloud native security. The velocity of change presents new challenges, which drive a transformation that leads to a new continuous reality. Rather than auditing applications and systems on a rolling schedule, instead you build a continuous understanding of compliance that moves at the speed of cloud. This new speed also allows compliance gaps to be resolved within unprecedented time frames.

With compliance, to make significant, enduring progress, you need to be equipped for the following three key activities:

• You need to be able to detect noncompliant infrastructure. If you cannot see the scope and scale of the problem, you cannot hope to make progress in the right direction.

• You need to be able to prevent noncompliant infrastructure. The ability to stop the rot is critical, otherwise all the effort invested merely gets eroded over time.

• You need to be able to remediate noncompliant infrastructure. This last step is the most complex of the three, as you will often need to transparently communicate and plan changes with business users, as all change comes with a potential ...