Achieving Regulatory & Security Compliance Across a Development Process
Delve into crucial strategies for Regulatory & Security Compliance spotlighting specific platform features that enhance code development efficiency and fortify information security.
Learn From an Industry Expert
Explore specific platform features that not only enhance code development efficiency but also fortify information security, navigating the complexities of compliance in the development process.
Laurent Balmelli
Co-founder and CEO @Strong Network
Dr. Laurent Balmelli is co-founder and CEO of Strong Network. He sold his last cybersecurity start-up, Strong Codes to the US company Snapchat in 2016 and led cybersecurity efforts at Snap during a three-year earn out period from 2016 to 2020.
After earning his PhD from ETH in Switzerland in 2000, Laurent also worked 12 years at IBM Research Division and CTO office in New York and Tokyo before moving back to Switzerland.
Why Does It Matter?
Navigate the complexities of regulatory and security compliance in our expert-led webinar. Discover practical implementations, explore risk controls, and gain insight into securing your development environment.
From tracking custom risk controls to visualizing compliance metrics and applying security measures across the DevOps cycle, learn key strategies that enhance data integrity, protect against threats, and bolster stakeholder trust.
Join us for a deep dive into the concrete steps for a secure and efficient development process.
What This Webinar Covers
Risk control implementation: practical implementations of risk controls, including tracking custom controls and visualizing compliance metrics.
Security across DevOps: how to extend security measures beyond code development, applying them seamlessly across the entire DevOps cycle.
Enhancing data integrity: key strategies to enhance data integrity, protect against exfiltration and build trust with stakeholders.
Watch how secure Cloud Development Environments make organizations risk-compliant
Watch the webinar on YouTube to learn how to achieve regulatory and security compliance across a development process.
Webinar Transcript:
Optimizing DevOps for Compliance and Security
[Laurent]:
Adding some background to this presentation: We've been developing a platform at Strong Network that utilizes online containers for development, essentially replacing traditional virtual machines. Containers, known for being lighter and initiating more swiftly than virtual machines, allow access to virtual environments without the need for high-powered laptops. This innovation is particularly advantageous for companies aiming to reduce IT costs and improve secure infrastructure provisioning. Notably, it facilitates compliance with various standards, including ISO 27001.
The essence of this platform lies in its integration into the DevOps process. It enhances the coding stage of any development process, whether or not a formal DevOps process is in place. Our focus is on provisioning secure environments that developers can easily access to code. This approach not only boosts swiftness and efficiency but also significantly enhances security—a point I'll elaborate on today.
Secure Dev Environments: Implementing Risk Controls
[Laurent]:
The necessity for secure development environments is underscored by recent breaches where companies' source code and data were compromised, leading to widespread information and credential leaks. The challenge in controlling such leaks stems from the diverse and distributed nature of development teams, which complicates governance. Despite the perception that such breaches predominantly affect large companies, they are also prevalent among smaller firms but tend to be underreported.
Our aim at Strong Network is to offer a streamlined infrastructure that secures environments without the drawbacks of outdated solutions like Desktop as a Service (DaaS) or Virtual Desktop Infrastructure (VDI). Previously, we've discussed how our platform offers a more secure and efficient alternative to VDI for developers. Today, I'll focus on how our platform facilitates the implementation of risk controls, addressing the urgent need for comprehensive security measures across all company sizes and enhancing governance in distributed development processes.
Integrating ISO 27001: Enhancing Compliance and Security
[Laurent]:
Risk controls in ISO 27001, the information security standard, might initially seem dull to engineers but are quite fascinating. These controls, designed by information security specialists, are divided into two main parts.
The first part deals with organizational structure, focusing on processes and roles within a company.
The second part, the appendix, outlines management guidelines and security controls that companies need to implement.
This comprehensive approach ensures that companies adhere to strict security measures, making it an engaging topic I'll explore further.
Initially, companies must comply with ISO 27001's managerial aspects, presenting their compliance annually to assessors who evaluate risk control maturity. Implementation involves integrating these standards into company infrastructure, involving process changes, tool adoption, and data management. The standard includes 13 to 14 categories, extending to over 100 detailed requirements. Companies must demonstrate how they meet each requirement, signifying a comprehensive approach to managing and improving information security practices systematically.
Securing DevOps: Compliance and Supplier Risk Management
[Laurent]:
Exploring risk control categories within governance risk and compliance software, we focus on diverse information security aspects, particularly in operational security. This area underscores the importance of secure operations within processing facilities, a cornerstone of IT compliance and cybersecurity compliance frameworks. Such detailed subdivisions of operational procedures illustrate how compliance automation can effectively implement these controls, showcasing a company's maturity in adhering to data security compliance across various facets.
Moreover, the protection from malware, especially in the context of supplier relationships, emphasizes the critical need for cybersecurity governance risk and compliance. Many firms, in their pursuit of cyber security compliance, outsource code development, necessitating robust security measures for these partnerships under the umbrella of compliance monitoring and IT framework standards. Leakage of regulated information not only risks severe penalties but also threatens data compliance. Thus, implementing IT compliance measures in supplier interactions is paramount. This scenario highlights the necessity for platforms that integrate governance risk and compliance software to enhance security compliance, offering significant advantages to customers by protecting crucial assets and information against cybersecurity threats.
ISO 27001 Compliance: Defining Scope in Code Development
[Laurent]:
To start implementing security controls and align with ISO 27001, begin by defining the scope of applicability. This involves identifying the specific processes and information that the standard will target. For a company like Strong Network, which offers a code development platform, the scope is centered around application development. This is where developers create assets under the company’s governance through the platform. Choosing the right scope is crucial; it's not about blanket application but focusing on specific areas where compliance can be assessed and ensured, especially in areas like application development where risk controls are critical.
Adopting a platform doesn't automatically ensure compliance across all processes but specifically enhances compliance within the code development process. It's important to scrutinize the activities within this process. Developers engage in data input and output, interacting with code repositories that manage code assets and access credentials. This repository is pivotal to the CI/CD pipeline, which is instrumental in building, testing, and deploying applications. The scope of protection extends to source code, credentials, tokens, cryptographic keys, and development data, such as text and binary images, with controls to manage data transfer based on organizational policies.
Securing DevOps: Streamlining Compliance with Online Containers
[Laurent]:
Integrating our platform's unique capabilities, we've elevated the development environment by utilizing online containers, a foundational element in DevOps strategies. Our platform, Strong Network, shifts the conventional local development setup to an online model, leveraging the efficiency of Docker—a leading container technology. This transition not only streamlines code and asset management but also preserves the user experience by seamlessly migrating the workspace from local to cloud-based storage.
This innovation embodies our commitment to compliance automation, IT compliance, and cybersecurity, ensuring developers continue their work without disruption while enhancing data security compliance and governance risk management.
Transitioning from a local to an online development environment, as facilitated by our platform, revolutionizes the way development activities are monitored and managed. With all environments hosted online, real-time visibility into code production and developer activity becomes possible.
This transparency allows for monitoring of keystrokes, mouse movements, and overall work within the Integrated Development Environment (IDE), without intruding on personal operations outside of work. Such visibility, devoid of local spyware or installations, enhances compliance with risk controls and asset protection in code development, epitomizing the shift to online containers for improved governance and security oversight.
DevOps Compliance: Enhancing Security with Targeted Controls
[Laurent]:
Focusing on the premise of visibility and risk controls, the process involves discerning which risk controls are pertinent to DevOps and code development within the scope of applicability. Specifically, out of numerous risk controls, 58 are deemed relevant to DevOps or code development, while 56, such as those concerning physical security for room access, are not implemented as they do not directly relate to DevOps activities.
For the applicable risk controls, detailed documentation is provided, outlining how each requirement is met, ensuring that the platform complies with necessary security measures for code development processes. This structured approach enables targeted compliance and security within the development environment.
Considering information security responsibility within the platform, we define and allocate specific roles under the Statetement of Applicability (SOA), including managers, developers, project owners, reviewers, and security analysts. Utilizing a Role-Based Access Control (RBAC) model ensures access control is precisely aligned with each role's responsibilities, adhering to standard compliance. This methodology is one of many, detailed across 58 lines in our documentation, where we also address non-compliance by explaining its relevance to our platform and the reasons behind it.
Securing Code: Strategies for Malware Protection and Compliance
[Laurent]:
Before opening the floor for questions, let's delve into specific requirements that are particularly relevant from our platform's perspective. When considering the scope of applicability, which is focused on code development, it's vital to assess how each requirement fits within this context.
For example, to protect against malware from local devices, monitoring data uploads to the container can safeguard code and data. It's essential to evaluate how each requirement impacts developers and whether it's applicable. For those that are relevant, such as malware control—encompassing detection, prevention, recovery, and user awareness—it's crucial to devise and implement a strategy that integrates these elements effectively.
When interpreting requirements for ISO 27001 compliance, it's important to assess your system's maturity levels, which assessors will evaluate, typically on a scale from one to four. Achieving the highest level of maturity is crucial for offering customers the greatest benefits. Utilizing online containers helps separate local data from the development environment, enhancing compliance and security.
This separation is vital for secure coding practices. For instance, when developers need to integrate local data, such as images for processing algorithms, into their work, online containers facilitate secure and compliant data handling within the development process.
When uploading an image or any data to a container, it must be scanned for malware to comply with security controls. Utilizing an external API for scanning ensures that only safe content is admitted into the container, with denied entries being blocked. Additionally, each upload event is audited and logged, providing a record of successful scans and enhancing transparency in data handling. This process is a key control in maintaining the integrity and security of information within the development environment.
Revoking Access: Automated Security for Departing Developers
[Laurent]:
Ensuring a departing developer loses access to all company resources is challenging due to the wide range of applications and data repositories they might have used. Automation plays a crucial role in revoking access efficiently. However, without a centralized platform like ours, managing and revoking all necessary keys, credentials, and tokens across various applications becomes complicated, highlighting the need for a unified control system for information security management.
This centralized control of keys and access privileges across code, data, and services ensures organizational ownership and oversight. A notable feature is the ability to revoke all access for a user instantly when they are removed from a project, streamlining the process of maintaining secure environments and safeguarding sensitive information effectively.
Our platform eliminates the administrative burden of manually revoking access for departing employees. Traditionally, IT admins must consult a list of applications to which the individual had access and revoke each manually. This process is streamlined with single sign-on (SSO) solutions, primarily effective for web applications. However, our platform fills a significant gap by extending SSO to development resources, ensuring secure access management and preventing unauthorized access to development data and resources once an individual leaves the company.
Streamlining Compliance: Unified Labeling and Access Revocation
[Laurent]:
The process of removing a developer from a project on our platform is streamlined and efficient. By simply selecting the option to remove oneself from the project, all access permissions for that developer are instantly revoked. This feature is particularly valuable for organizations striving to comply with ISO standards, addressing one of the more complex challenges due to the intricate nature of today's IT infrastructure and the extensive changes required when someone departs the company. This capability ensures a seamless transition and maintains the security integrity of the project.
Labeling information and assets for compliance can simultaneously address multiple standards, as demonstrated by integrating features that cover both 822 and 931 requirements. This approach enables efficient resource classification as confidential or non-confidential, streamlining access control across the company. Such a strategy not only simplifies compliance efforts but also significantly enhances the organization's information security posture by leveraging a single mechanism to fulfill multiple regulatory obligations, tying back to the importance of role-based access control discussed earlier.
Implementing a labeling system across diverse resources, such as GitHub, GitLab, and AWS S3 buckets, enhances access control and organization. However, the challenge lies in the varied nature of these resources, each from different providers. Our platform uniquely addresses this by offering a unified labeling mechanism, simplifying resource management and access control.
This approach not only streamlines development processes but also ensures compliance with multiple standards through effective resource classification, demonstrating the platform's capability to centralize and simplify complex IT environments.
Optimizing Security: Capacity Management in Cloud Environments
[Laurent]:
Addressing capacity management within the context of information security standards is crucial, especially as it subtly relates to ensuring system performance aligns with organizational goals. This requirement involves monitoring and adjusting resource use, along with forecasting future capacity needs to meet business objectives efficiently.
This aspect, though not immediately obvious, is integral for maintaining optimal performance and security, highlighting the importance of proactive resource management in safeguarding information security and supporting customer compliance efforts effectively.
In the realm of code development, understanding the capacity needed is vital. This involves assessing how much infrastructure, such as CPUs, is necessary for efficient development. Traditionally, this might be estimated by the number of laptops required for a team. However, with the advent of cloud computing, development environments and computational tasks have shifted to the cloud. This transition leverages the cloud provider's virtual CPUs for compiling code, showcasing a more dynamic and scalable approach to managing development capacity.
Enhancing Compliance: Dynamic Resource Management for Cost Efficiency
[Laurent]:
With real-time access to cloud resources, our platform enables precise accounting of capacity needs. As developers commence work, they automatically acquire necessary virtual processors, peaking at 45 CPUs daily, with noticeable dips during evenings and weekends. This precise monitoring facilitates exceptional compliance with capacity management requirements, allowing for informed planning. It's a feature particularly appreciated by one of our major clients, Broadcom, Sirius, for its potential to significantly reduce costs by optimizing resource management.
Utilizing lightweight containers offers unparalleled visibility into resource usage, contrasting with the opacity of DaaS or VDI solutions. This technology enables precise resource accounting, future needs prediction, and cost control, addressing a common challenge in traditional setups where costs can spiral unexpectedly. Such transparency is highly valued by developers, ensuring efficient cost management and accountability. This approach illustrates our commitment to meeting specific compliance requirements, optimizing resource utilization, and delivering cost-effective solutions through our platform.
---
All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network
