Compliance-as-Code for Cybersecurity Automation in Hybrid Cloud
Abstract
Automation of cybersecurity processes has become crucial with large scale deployment of sensitive workloads in regulated on-prem, private, and public cloud environments. Regulatory and standards bodies such as Payment Card Industry (PCI), Federal Financial Institutions Examination Council (FFIEC), International Organization for Standardization (ISO), and others govern the minimal set of cybersecurity controls that an organization must implement. To meet such requirements while maintaining business agility, organizations need to modernize from manual document based compliance management to automated processes for continuous compliance. This modernized process is called compliance-as-code. In this paper, we present an architecture for compliance-as-code based on a standardized framework. We identify several design choices and our rationale behind those. Specifically, we introduce a system for manipulating compliance information in a standardized manner and a data interchange protocol for inter-operable communication of compliance information. We demonstrate the scalability of our approach and briefly describe deployment and experimental results in real world settings.