Practical Cloud Native Compliance Automation with OSCAL Compass

Cloud presents many advantages to organisations in terms of flexibility, scalability and innovation. Unfortunately compliance has become more complex as standards and regulations are used by end consumers as a proxy for security of underlying platforms whose operations are opaque. Consequently platform providers have ever increasing compliance obligations. Compliance-as-code encompasses many activities such as automation of system configuration and general DevSecOps approaches. One perpetual challenge is how to provide machine readable workflows which span from standard to audit to allow automation in a way that scales. OSCAL-Compass, a CNCF sandbox project, provides tooling to manage both the compliance artefacts as code and link those artefacts to executable policies. This talk will provide practical introduction to using OSCAL compass to document and enforce compliance controls using two of its tools: Compliance Trestle and C2P (compliance2policy) in the context of Kubernetes clusters.