Continuous compliance is the ongoing monitoring process for compliance with industry regulations and following cybersecurity best practices. Establishing a consistent release management process can help attain continuous compliance. Other steps include adding access controls to the code base, patching updates to software libraries regularly, and having a repeatable approach for adding new software features that meet customer needs and comply with relevant regulations.
Some of the recommended controls that support continuous compliance in DevOps include:
Multiple Environments
It’s essential to create several code environments; ideally, you should have separate development, staging, and production environments. Multiple code environments with an approval workflow for moving code between them provides a set of checks and balances.
Segregation Of Duty
Clearly define the responsibilities of developers, approvers, administrators, and managers, and assign no more than one role per person. One set of permissions per person allows for easy auditing of changes. Requiring multiple roles and approvals whenever code is moved between environments or released to customers helps protect the codebase.
Authentication
Implement strong authentication mechanisms, including multi-factor authentication (MFA), and require developers to change their passwords regularly.
QA Testing
Ensure that your quality assurance process includes testing and performing vulnerability scans when moving code between environments to catch cybersecurity risks as soon as possible. Many organizations have incorporated secure code reviews and application security testing at specific points in their development process.
Key Management
Use software keys to provide access to servers, and set an expiration date for each one.
Security Protocols
Use the Secure Shell Protocol (SSH) during DevOps. SSH is a networking protocol that helps secure remote logins to a computer or server. SSH provides multiple options for strong authentication and protects communications security and integrity. Use a secure protocol such as SSH to safeguard any access to software code.
Encryption
Provide user encryption keys to protect sensitive customer or business data.
XOps
DevOps
PlanSecOps
DevSecOps
Striving for Continuous Compliance in DevOps
Continuous compliance is the ongoing monitoring process for compliance with industry regulations and following cybersecurity best practices. Establishing a consistent release management process can help attain continuous compliance. Other steps include adding access controls to the code base, patching updates to software libraries regularly, and having a repeatable approach for adding new software features that meet customer needs and comply with relevant regulations.
Some of the recommended controls that support continuous compliance in DevOps include:
Multiple Environments
Segregation Of Duty
Authentication
QA Testing
Key Management
Security Protocols
Encryption
See also