Community
PCI DSS, GDPR, Sarbanes-Oxley, the EU Cybersecurity Strategy and Cybersecurity Act, the recently revised Network and Information Systems Directive (NIS2)… the list of regulations that apply to financial services organisations continues to grow, and complying with all of them continues to be a challenge.
Apart from fines, non-compliance could lead to software vulnerabilities that, in turn, can be exploited through data breaches or cyberattacks. Could compliance-as-code (CaC), a fast-growing compliance management strategy, help mitigate some of that risk? To answer that, it makes sense to start by examining why achieving comprehensive software compliance is so hard.
Why IT compliance is so challenging for fintech companies
First, there is a global shortage of IT talent, from developers to operations staff to security professionals. Even big banks with deep pockets may have understaffed teams who are being asked to do more with less. Daily firefighting typically takes priority. So compliance and security might sit on the back burner, receiving only basic housekeeping, with action taken only as a result of an incident or an audit finding.
Visibility is also a roadblock for compliance. It can be highly challenging to simply view the overall IT infrastructure, especially if hundreds or even thousands of servers are involved – let alone ensure they are always compliant. Additionally, configuration drift piles up quickly; regulations and security standards change fast in response to an ever-evolving threat landscape; and the mass migration to the cloud (and across hybrid cloud IT) creates technology siloes, increases complexity, and reduces visibility across the IT estate. It becomes arguably impossible to manually enforce continuous compliance.
CaC reduces the amount of human effort involved in keeping abreast of regulatory requirements, remediating configuration drift, and demonstrating compliance. Furthermore, compliance-as-code can be constantly collecting data in anticipation of audits or any other requests. That helps reduce the amount of time it takes to gather information about an organisation’s compliance status, including logs and other documentation that can help prove compliance.
Three ways CaC results in better IT compliance
CaC is an extension of policy-as-code (PaC), whereby internal IT policies are translated into code, programmed once and then continuously enforced using infrastructure automation and configuration management. It can apply to all kinds of environments, from private data centres to cloud, hybrid and multi-cloud. While typically implemented by IT operations (ITOps) or security operations (SecOps), successful CaC is best applied in close collaboration with other teams, including audit and security, contributing to better DevOps strategies by supporting collaboration and visibility.
There are three main components to compliance-as-code:
One: definition of compliance policies as written code – for instance, firewall configurations or minimum password lengths, thus automating deployment and on-going enforcement.
Two: integration of compliance checks into the software delivery lifecycle instead of leaving compliance checks to later stages of development (which tends to be more time-consuming and costly to fix). With CaC, compliance checks occur in the initial design to discover risks sooner.
Three: automation of policy requirements at the server level with model-driven automation. This helps to ensure that systems are always kept in a desired state on a massive scale, regardless of whether they’re running on Windows, Linux, or a mixed operating system environment. When adjustments need to be made, code is automatically deployed without manually reconfiguring every machine (whether physically or virtually). This means IT operations teams can be confident that their infrastructure’s compliance requirements are continually being maintained – the primary goal of continuous compliance – and that the demands on their valuable time to carry out such menial tasks are removed.
How everyone can help ensure compliance
The right tools can make compliance-as-code more accessible, but it is essential to understand that a successful CaC strategy is as much about people and culture as it is about technology. Both compliance and security need to be a team effort across multiple departments, and there needs to be a compliance-first approach throughout the software development lifecycle. Top-down support for CaC implementation is essential, but so is getting the involvement and buy-in of the people who will use the tools configured to align with the organisation’s CaC policies.
Entire teams must understand the necessity and benefits of compliance, but they should also have input into the selection, design, and deployment of CaC. Soliciting input, gathering feedback, and sharing progress prioritises the developer experience – core to a platform engineering initiative – and ensures that adopting new tools and strategies will streamline their compliance efforts, rather than adding to their workload. Nearly every user of IT can help an organisation work toward compliance, but in return, compliance has to work for them.
Regulation and cybercrime are increasing, and dealing with them both is a multi-faceted challenge. CaC is one way to simplify regulation monitoring while reducing security risks. But the deeper benefit of CaC is that it enables IT operations teams to tangibly contribute to an organisation’s cybersecurity while mitigating the additional workload that efficient continuous compliance might otherwise require.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
David Smith Information Analyst at ManpowerGroup
20 November
Konstantin Rabin Head of Marketing at Kontomatik
19 November
Ruoyu Xie Marketing Manager at Grand Compliance
Seth Perlman Global Head of Product at i2c Inc.
18 November
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.