At base2Services, we’ve worked with dozens of companies to establish and streamline cloud services so that their infrastructure runs as efficiently and effectively as possible. We’re experts in resource provisioning, launching and maintaining AWS services, and automating continuous integration and deployment. However, our role as a technology partner for our clients extends beyond infrastructure efficiency. Many of our clients are concerned about data security, internal controls, and regulatory compliance for various national and international standards. As a result, we’ve made compliance a major focus of our DevOps consulting practice. Audits for PCI, HIPAA, or SOX compliance can be a lengthy, manual process. However, with the right systems in place, it’s possible to automate and standardise much of the compliance auditing and reporting process.
Compliance Out of the Box
A key focus for our DevOps practice is creating infrastructure that is compliant out-of-the-box. Even if a client doesn’t currently need compliance, we’ve chosen technologies and workflows that are compliant by default. We also implement continuous compliance checks that are integrated into the CI/CD pipeline to ensure the software remains compliant over time.
When audit time comes around you won’t need to change anything about your default workflows – that’s the benefit of this approach. Additionally, if you have a specific regulation that you need to meet, our standard technologies already fulfil most of the compliance regulations around the world. For instance, we aim for Payment Card Industry (PCI) compliance, one of the more stringent global regulations, from the beginning. As such, adding other types of compliance for health records or financial transactions is simply a matter of setting up the proper controls and checks for a given standard.
Automating Compliance & Reporting
We automate most compliance checks using Amazon AWS Inspector. This industry-standard security assessment service does a great job of identifying vulnerabilities and deviations from best practices. Regularly scheduled scans, along with incorporating AWS Inspector into the CI/CD pipeline, mean that you’ll discover security risks quickly in the event of a compromise.
Alongside AWS Inspector, we use open source Chef InSpec language to build compliance into the development process. Developers no longer have to wait for the results of a security review before receiving feedback on the code’s compliance. Instead, compliance is shared throughout the development and deployment pipeline.
In addition, we now use AWS Guard Duty as the default for all our customers. This adds a further layer of intrusion and anomaly protection for applications. It prevents anyone from gaining shell access to instances, and any changes go through established levels of access control with a clear audit trail.
We’re confident in the accuracy and architecture of these cloud services solutions. So much so that if we find an instance has been modified, we assume it’s dirty and ought to be replaced. The automated deployment pipeline eliminates the need to access and edit instances or settings directly.
The Future of Compliance in Cloud Services
We’re firm believers that compliance can and should come as standard for any company using cloud services. The proof is right there in the code. With the right access controls and audit trails, gathering the evidence to prove your compliance is a straightforward process.
The future of compliance is the automation of the entire compliance process, including reporting. We’re thinking about and working on systems that create a compliance dashboard. Imagine if you could point an auditor to a single webpage with all the necessary compliance checks on your cloud infrastructure, instead of preparing thousands of pages of reporting. This should be a long-term goal for the compliance industry, reducing the overhead and burden while still protecting consumers and upholding the law.
We encourage you to contact us so that we can help you understand the full range of possibilities for new solutions and improvements that may be available for you.