Software compliance has never been easy. Nuanced spreadsheets, endless checklists, and cross-functional teams conducting myriad long meetups to understand how processes, policies, and workflows are actually executed—all at the end of the development cycle—were an integral part of compliance procedures. It was a long and cumbersome process, and quite often, teams ended up making changes in “non-compliant” parts of code.
However, businesses put up with all these inconveniences of the given approach. Why? It worked—until the end of the epoch of on-premise hosting and monolith architectures. Today, modern development teams face new compliance challenges stemming from the advent of new technologies, such as cloud computing and microservices. Let’s take a closer look at each of them.
While there are many reliable, compliant cloud solutions nowadays, you need to understand where the cloud provider’s responsibilities end and yours begin in terms of security and compliance. For example, research reveals that misconfiguration is the second-most widely spread reason for data breaches in cloud environments.
Ironically, another challenge stems from the attempts of cloud providers to help businesses achieve compliance. For example, Amazon provides separate cloud environments for businesses that abide by FedRAMP and other regulatory standards. To access such environments, you need to pass a screening process. Which adds to your compliance challenges.
Microservices and containers
Together with cloud computing, microservice architecture and the subsequent advent of containers—as one of the most popular ways to implement microservices—have made the life of developers easier. Individual software elements can be easily deployed independently without affecting the rest of the system. This allows developers to move fast.
Sounds optimistic, right? Well, it isn’t so if you have to deal with a complex system consisting of thousands of containerized microservices while staying compliant. This adds roadblocks to your compliance journey. For example:
- It’s hard to map traffic flows and runtime dependencies between microservices and identify a compliance gap.
- It’s challenging to bridge compliance gaps without causing cascading failures and—as a result—downtime.
- If development teams in your organization are free to choose any languages and frameworks for each microservice, managing security and compliance risks across microservices built using different tech stacks is a nightmare.
- Multiple microservices make the attack surface huge. You need to secure each endpoint according to the best cybersecurity practices and regulations you are subject to.
Additionally, container orchestration tools, if not managed properly, can pose another cybersecurity and non-compliance risk.
The three compliance challenges of modern tech businesses
With the introduction of new technologies and practices into the development process, regulatory requirements didn’t become less strict: the over 300 sub-requirements of the PCI standard aren’t going anywhere, for example. And if you are a business that directly deals with credit card data, you need to comply with them all, across a myriad of microservices and containers.
Clearly, the traditional way of approaching compliance—pushing it to the very end of the development lifecycle—doesn’t work anymore. Also, we can’t forget about compliance after product release and successful certification until the reassessment. Modern products are changing rapidly (otherwise, a business won’t survive the competition), and so are regulatory requirements.
Besides this, sometimes continuous monitoring is a legal requirement standard. FedRAMP, for example, requires covered organizations to monitor their systems continuously to ensure the required risk posture.
As a result, modern companies that are subject to regulatory standards have three main tasks to resolve:
- Rolling out a secure software product that complies with all the applicable standards, regardless of its hosting type and the level of architecture complexity.
- Monitoring the entire system’s compliance 24/7 post-release and preventing compliance gaps before they occur.
- Detecting and bridging compliance gaps before they have any effect.
And that’s where DevSecOps and continuous compliance come into play.