Yet rapid adoption of new DevOps and CI/CD processes and tools comes with the risk of outpacing compliance efforts that are still heavily reliant on manual processes.
Kyndryl is taking aim at modernizing compliance with a new managed services model called compliance security operations, or ComplianceSecOps for short. “This is part of our ModernOps initiative, and it brings people, processes, and technology [together] to create a new operating model relative to compliance security,” says Alam. “We take industry-leading technology, wrap our services layer around that, create work packages that define the day-to-day solution, and deliver through monitored managed services.”
As IT organizations shift workloads from traditional environments to a variety of cloud providers, they can experience reduced control of and visibility into their consumption of IT resources, which can create uncertainty about security and regulatory compliance. According to one report, just 55% of the surveyed cybersecurity professionals said their organizations conduct configuration or compliance vulnerability scans.11
Maintaining control while providing services speedily becomes more difficult as organizations move to hybrid multicloud environments. Numerous point solutions are available to help counteract the compliance drift, but they often don’t address the broader problems organizations are experiencing. For example, organizations typically manage their DevOps tool chains separately, with relatively few utilizing a platform for single-pane-of-glass management.12
ComplianceSecOps brings together people, processes, and technology to ensure that organizations can continue to fully exploit the potential of CI/CD and digital transformation while maintaining continuous security and compliance through autodiscovery, monitoring, testing, alerting, and remediation support. This entails a new operating model that spans crucial areas:
1. Cloud security posture management. Organizations need to be able to monitor the full IT environment to ensure compliance with security best practices and regulatory mandates across all cloud programs, apps, files, data, and users. IT must also be able to accommodate new regulations and standards as well as changes to already existing ones to protect mission-critical applications and workloads in the cloud.
2. Zero-trust cybersecurity framework. With a “never trust, always verify” mindset, strategy, and architecture underpinned by governance across identity, device, network, apps, and data, zero trust requires all users to be authenticated, authorized, and continuously validated for security before and during access to applications, data, and systems. The zero-trust framework integrates multiple visibility points; automates detection and response; and makes risk-aware access decisions to ensure protection of critical applications, data, and systems and reduction of the attack surface.
3. Microsegmentation. Originally conceived as a methodology for segmenting networks to prevent unauthorized access to critical data, microsegmentation has evolved to embrace how workloads and applications share data in a zero-trust framework.
4. Cloud-native application protection. Organizations need a platform approach to ensure end-to-end cloud security compliance across deployed containers, virtual machines, and public clouds. With organizations increasingly utilizing infrastructure as code (IaC) to provision assets, it is critically important to automate routine security checks and employ predeployment scanning of IaC and container images.
5. Governance. The ability to tie in data from all monitored areas and present it in an easy-to-consume format makes it easier for administrators to monitor current conditions, proactively respond to risk, and manage regulatory compliance and reporting.
ComplianceSecOps eliminates the guesswork from security and regulatory compliance, utilizing scanning for vulnerabilities and configurations; automated testing of policies; and rules, risk analytics, and risk prioritization. “It’s an end-to-end solution that encompasses the network, the application cloud workload, governance, risk management, and compliance,” Alam says. “We have one client in insurance that has 200 people who do nothing but create GRC reports and audit artifacts. They want to reduce the amount of the manual processes that have driven up their cost of compliance.”