Modernizing compliance: Introducing Risk and Compliance as Code

Almost all publicly reported breaches in the cloud stem from misconfigurations, rather than from attacks that compromise underlying cloud infrastructure. Misconfigurations continue to be a source of security risk because most security and compliance practices play catchup - teams are involved later in the CI/CD process and misconfigurations are identified at runtime, instead of during the build process. Reliance on runtime security also creates friction between developers and security professionals because runtime tools, by their nature, are deployed at the end of the CI/CD process, and are therefore often seen as the final gate or blocker to production.

To prevent and address the risk of misconfigurations and compliance violations earlier in the development process, security leaders have started to embrace security as code to achieve the speed and agility of DevOps, reduce risk, and more securely create value in the cloud. 

"Being able to precisely model and then continuously monitor the adoption and correct operation of controls in any environment is essential. In the software defined environment (i.e., cloud-native workloads) this is not only possible but more importantly it's actually more easily achievable than other environments—and the more you do it the easier it becomes for continued monitoring." —Phil Venables, Chief Information Security Officer, Google Cloud.

Recognizing the need and opportunity to help customers prevent security misconfigurations and  automate cloud compliance, the Google Cybersecurity Action Team is thrilled to announce the launch of our Risk and Compliance as Code (RCaC) Solution. 

The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services to simplify and accelerate time to value:

• Existing products such as Assured Workloads, Security Command Center (SCC), and Risk Manager. Assured Workloads helps you define secure configurations and controls as code in your cloud architecture via APIs which are also expressed in some of our blueprints. SCC allows you to monitor for security misconfigurations and compliance violations on a continuous basis.  Risk Manager gives you tools to leverage cyber insurance to deal with risks in the Google Cloud environment. 

• A core set of blueprints such as Secure Foundations, Anthos Security blueprints, workload specific blueprints such as PCI DSS on GKE, and FedRAMP aligned 3-tier workload that codify infrastructure and policies. Blueprints can help you rapidly configure cloud environments in a secure and compliant manner. 

• Partner integrations (such as Sysdig and others) with SCC to detect drift from blueprinted environments. These integrations expand the coverage beyond Google Cloud’s native controls to help deliver improved multi-cloud compliance and risk reduction.

• A policy library set mapped to common compliance frameworks such as NIST 800-53, PCI DSS, and ISO 27001 with preventative and detective controls that can be expressed as code. These policies communicate which controls can be codified from the above frameworks. 

• Whitepapers and workshops  for rapid security organization transformation and DevSecOps transformation. 

• Professional services and partner-led accelerator programs that enable organizations to pilot the solution. 

Operationalizing Risk and Compliance as Code

Through the RCaC solution, customers can introduce automation via IaC (Infrastructure as Code) and PaC (Policy as Code) in the form of blueprints. This lays the foundation of preventative controls. Additionally, customers can “shift-left” their security and compliance practices by evaluating IaC and PaC templates for security and compliance violations before they are used in a build.

The next level of maturity is detection as code which involves monitoring for (security and compliance) drifts and applying remediations when an out-of-compliance infrastructure is identified. This forms a continuous monitoring loop that helps prevent misconfigurations. Cloud-native tooling helps to operate this model at scale.

Three key benefits of Risk and Compliance as Code

With RCaC, our hope is to provide our customers with the necessary components to express security and compliance requirements as code and shift left, leading to 

• reduced risk and impact of misconfigurations

• a continued compliance and security monitoring environment that is based on automation and code.

• Encourage a shift in the culture where there is reduced friction between developers and security and compliance teams 

Our goal with RCaC is to reduce the audit burden and fatigue that is experienced by GRC professionals as they modernize their infrastructure and at the same time continue to meet their compliance obligations.

Implementing the Risk and Compliance as Code (RCaC) approach

Implementing RCaC requires a substantial policy, architectural, and cultural change for almost all organizations. It requires a change in mindset from compliance being a reactive or a check-box exercise vs. addressing it proactively. Our solution helps organizations progress through this transition.

For this reason, many have found it helpful to use the RCaC framework to classify workloads according to sensitivity and criticality to apply specific preventative controls based on workload risk and deployment type. Once this codification is realized, customers can leverage tools inside Security Command Center to continuously monitor for drift and non-compliance. Finally, customers can also build custom drift correction or leverage our Risk Protection Program with insurance providers to reduce security risk and gain access to an exclusive cyber insurance policy designed exclusively for Google Cloud customers. 

"Using blueprints to simplify meeting compliance standards is a real win for customers. Automation of the right configurations and controls as code helps reduce risk and accelerate cloud success. With tools like Sysdig Secure, Google Cloud customers can easily monitor for drift to make sure they remain secure and compliant over time, while also gaining runtime visibility," said Omer Azaria, Sysdig VP of Research and Development.

Furthermore, RCaC provides a model for future-state architecture and outlines key decisions necessary for various automation use cases. This approach also paves the path towards self-healing cloud native infrastructure and autonomic cloud security.  

To learn more about the solution, review the details at the website. For broader context, read the Google Cybersecurity Action Team paper “Assuring Compliance in the Cloud” and listen to our Google Cloud Security Podcast “Making Compliance Cloud-native” (episode 14). If you need the solution, request a briefing with Google Cloud Sales.