Adopting automated governance

Speeding away from security

Charles A. Jacco

Charles A. Jacco

Principal, Cyber Security, KPMG US

+1 212-954-1949

Jackie Mak

Jackie Mak

Sr Associate Advisory, Cyber Security Services, KPMG US

+1 832-931-8642

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

Speeding away from security

Many software development teams today have adopted DevOps practices that enable them to regularly produce and push code into production environments. These developers aim for rapid releases to deliver great user experiences and drive business value often. At the same time, Security and Compliance groups struggle to keep up as they navigate the complicated challenge of balancing the merits of faster development speed against the need to manage risk and protect the organization without introducing unnecessary hurdles.

Today, a growing list of security tooling adds complexity to build pipelines and the data generated by the tools usually lives in its own silo. While the scanning tool may provide additional visibility into potential vulnerabilities, the introduction of more components to increasingly complicated continuous integration/ continuous delivery (CI/CD) pipelines can make it hard to have a wholistic understanding of security and compliance.

Competing priorities

In organizations trying to adapt to this evolving challenge multiple teams are involved in the process, including:

  • Engineering teams that work towards optimizing delivery but are often be delayed due to time-consuming controls and compliance requirements
  • Security teams that work towards improving the security of products and reducing the potential for data breaches without restricting velocity of deployments
  • Technology Risk and Internal Audit teams that work towards accurately identifying and mitigating risks but that are often working with legacy controls, which can lead to lengthy or narrow review processes

Each of these teams tend to have different priorities. Luckily, there is a way to align the goals of the three distinct teams. By implementing a common framework of Automated Governance, organizations can enable a unified vision for automation, security, and compliance at scale.

Building the foundation

An Automated Governance framework solves the issues of our three stakeholder tribes by reducing the time needed for audits, improving the coverage of security controls in the development pipeline, and increasing the reliability of risk assessments and audits.

To implement this framework, organizations need to outline potential risks that can be introduced and a set of associated controls to mitigate these risks at different stages of the software delivery pipeline. In most organizations, the typical pipeline stages may be:

  • Source code repository: Application software and services are hosted on a version-controlled tool
  • Build: Source code is compiled and tested for quality and security
  • Dependency management: Management of external libraries and/or base images
  • Package: Deployable artifacts are composed from source code and external dependencies
  • Artifact repository: The artifacts generated in the build and packaging stages are hosted in a version-controlled tool
  • Non-prod deploy: Artifacts are deployed to non-production environments to undergo testing
  • Prod deploy: Tested and approved artifacts are deployed in production environments

The controls that are defined for the different stages offer checks that development teams’ code must pass before a deployment can occur and offer an opportunity to capture evidence, or “attestations” of each control. By storing machine-generated and digitally signed attestations in a single data repository, stakeholders have an objective, trustworthy record of what happened during the software build process.

Driving sustained change

To keep the business protected from relevant threats without reducing time to value, these governance processes must be automated in development pipelines to help ensure that developers can continue to accelerate the rate of software delivery while Security and Compliance teams can have confidence in the reduction of overall risk. As we expect this challenge to escalate further, understanding how to adopt and implement an Automated Governance framework may be vital for organizations that wish to have a trustworthy, repeatable approach to build, protect, and deliver their products and services.