A Secure Framework for Continuous Compliance across Heterogeneous Policy Validation Points

Abstract

Regulated compliance has become a business liabil- ity given the constant changes to the IT environments driven by the new Cloud normal enabling daily upgrades, and by the new programs and government executive bills related to cyber- security. To keep pace with the changes, enterprises and auditor agencies shifted from annual audit to continuous compliance. Critical enablers of continuous compliance are standardization and automation. To achieve standardization and automation we need to treat everything as code, from the compliance artifacts to the policies and their results. Currently, Compliance as Code (CaC) is utilized to represent compliance artifacts and processes, while Policy as Code (PaC) is employed to express the logic of validating the actual state of the systems in a regulated environment against the desired state. Although there is emerging technology for CaC and PaC, there are challenges that hinder the compliance digitization transformation towards continuous compliance. The first challenge is how to migrate from document- based operations like authoring compliance requirements or guidance using spreadsheets to CaC. The second challenge emerges from the disconnect between CaC and the existing PaC solutions with their wide variations of native interfaces. Lastly, there is a concern regarding the reliability of the results generated from end-to-end automation when switching from human-in-the- loop overseeing and guaranteeing the integrity of the procedures and content, to PaC. To address these challenges, we have developed a GitOps-based secure pipeline framework, seamlessly integrating compliance authoring with CaC while ensuring the secure integration of CaC and PaC, protecting data integrity and preserving data traceability. In this paper, we present the details of our compliance automated standard solution which enables end-to-end automation of compliance processes while supporting integration with various Policy Validation Points (PVPs), and the evaluation of its reliability by testing risks such as unintentional modification of policies.