Security and governance too often seem like sticks. If you don't meet a requirement you are going to get beat over the head or worse... So, it is refreshing to come across examples where governance and security become the carrot.
Recently, we have been working with a large health insurance company, and oddly enough it was the scrum master who reached out to us to gain a better understanding of our tooling. Normally, we hear from architects, or security and compliance people. As their story had a unique beginning, we wanted to share it.
The organization adopted Agile completely for all of their agent facing applications, and with rare exceptions everything is built using the methodology. We quickly found out that the reason the scrum master had reached out to us was because they are a financial services company, thus they put security first, and were recently surprised to find that they failed an audit. As a result, it was required that they hire two DevSecOps staff into embed in their current DevOps teams. The problem was that it is a small and expensive talent pool, and they were struggling to find people to meet their needs. This led them to think differently about how they could address the compliance and security issue without breaking the bank – OpsCompass filled this need.
Initially, we spent time demonstrating how OpsCompass assesses the security posture of each of the resources in their public cloud, regardless of whether it is IaaS, PaaS, or Serverless. They were impressed by what they saw and purchased the tool - then the fun began.
First, they setup an offsite meeting with their security team and evaluated all of the security notifications in their production environments using OpsCompass' inventory of resources and mapping to Center of Internet Security (CIS) controls. While they have a multitude of lower environments, they completely ignored them during this first stage. After evaluating the compliance issues that surfaced through OpsCompass, they categorized them into two buckets. The first bucket contained issues that they were confident they could resolve quickly through their cloud portal and not break the apps. The second bucket was for alerts that would need to be worked through their development pipeline in order to address. They then built the items in the second bucket into their sprint backlogs using the remediation steps provided by OpsCompass.
Upon connecting their cloud environments to OpsCompass, they were able to see their compliance score, which is a metric that shows where the security posture of an environment is at, and then tracks whether it is getting better or worse over time. It becomes an easy way to demonstrate a trend. We watched the compliance score for their production environment rise over the following weeks as they addressed the quick fixes, and began to implement necessary changes in their pipeline. It was fascinating to see that as they focused on their production environments, they also saw the scores climb for their dev and test environments too, as the compliant deployments worked their way through their DevSecOps process.
The scrum master has discovered that this feedback loop helps the development teams to be more efficient when writing secure code the first time. I was struck by just how obvious this was, and yet I didn't see this as an outcome when we first started. OpsCompass serves as their near real time feedback loop and provides clear visibility across multiple clouds to enable better understanding while offering insights into their up-to-date security posture.
The speed and flexibility of the cloud is oftentimes a risk with security being an afterthought, but with OpsCompass connected you can scale your governance and compliance process at the same rate thereby fully implementing the main goal of DevSecOps.