Modernizing compliance: Introducing Risk and Compliance as Code

Almost all publicly reported breaches in the cloud stem from misconfigurations, rather than from attacks that compromise underlying cloud infrastructure. Misconfigurations continue to be a source of security risk because most security and compliance practices play catchup – teams are involved later in the CI/CD process and misconfigurations are identified at runtime, instead of during the build process. Reliance on runtime security also creates friction between developers and security professionals because runtime tools, by their nature, are deployed at the end of the CI/CD process, and are therefore often seen as the final gate or blocker to production.

To prevent and address the risk of misconfigurations and compliance violations earlier in the development process, security leaders have started to embrace security as code to achieve the speed and agility of DevOps, reduce risk, and more securely create value in the cloud.

“Being able to precisely model and then continuously monitor the adoption and correct operation of controls in any environment is essential. In the software defined environment (i.e., cloud-native workloads) this is not only possible but more importantly it’s actually more easily achievable than other environments–and the more you do it the easier it becomes for continued monitoring.” —Phil Venables, Chief Information Security Officer, Google Cloud.

Recognizing the need and opportunity to help customers prevent security misconfigurations and automate cloud compliance, the Google Cybersecurity Action Team is thrilled to announce the launch of our Risk and Compliance as Code (RCaC) Solution.

The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services to simplify and accelerate time to value:

• Existing products such as Assured Workloads, Security Command Center (SCC), and Risk Manager. Assured Workloads helps you define secure configurations and controls as code in your cloud architecture via APIs which are also expressed in some of our blueprints. SCC allows you to monitor for security misconfigurations and compliance violations on a continuous basis. Risk Manager gives you tools to leverage cyber insurance to deal with risks in the Google Cloud environment.

• A core set of blueprints such as Secure Foundations, Anthos Security blueprints, workload specific blueprints such as PCI DSS on GKE, and FedRAMP aligned 3-tier workload that codify infrastructure and policies. Blueprints can help you rapidly configure cloud environments in a secure and compliant manner.

• Partner integrations (such as Sysdig and others) with SCC to detect drift from blueprinted environments. These integrations expand the coverage beyond Google Cloud’s native controls to help deliver improved multi-cloud compliance and risk reduction.

• A policy library set mapped to common compliance frameworks such as NIST 800-53, PCI DSS, and ISO 27001 with preventative and detective controls that can be expressed as code. These policies communicate which controls can be codified from the above frameworks.

• Whitepapers and workshops for rapid security organization transformation and DevSecOps transformation.

• Professional services and partner-led accelerator programs that enable organizations to pilot the solution.

Operationalizing Risk and Compliance as Code

Through the RCaC solution, customers can introduce automation via IaC (Infrastructure as Code) and PaC (Policy as Code) in the form of blueprints. This lays the foundation of preventative controls. Additionally, customers can “shift-left” their security and compliance practices by evaluating IaC and PaC templates for security and compliance violations before they are used in a build.

The next level of maturity is detection as code which involves monitoring for (security and compliance) drifts and applying remediations when an out-of-compliance infrastructure is identified. This forms a continuous monitoring loop that helps prevent misconfigurations. Cloud-native tooling helps to operate this model at scale.