Compliance As Code: shift-left and shift-right approach in a Cloud world

Abstract

Maintaining compliance in a Cloud world requires a new approach that maximizes the balance between agility and safety. Just like we use infrastructure-as-code in infrastructure automation and approach of CI/CD in application lifecycle management, at the same time our DevSecOps teams should adopt compliance-as-code, especially in a cloud world. We can introduce compliance-as-code on the left side of the DevOps lifecycle and/or on the right side. Working on the left side we can detect issues very early in the process, but our tests are limited in scope, more related to a specific workload. On the right side, we can detect and remediate issues that would be difficult to anticipate during the building phase, we can assess the resources against requirements defined at a more high level, but the improvement requires more effort. On the left side, we can leverage general-purpose tools such as OPA – Open Policy Agent – an open-source engine incubated in the CNCF. On the right side, it’s better to leverage services provided by the Cloud provider as AWS config