Security and compliance are not one and the same. While both concepts help companies manage risk, one is a guideline and the other is its implementation.
According to Venkat Thiruvengadam, founder and CEO of DuploCloud, an industry pioneer in no-code/low-code cloud automation and security, compliance will always be a few steps behind current threats.
VMblog: What is DuploCloud? How long has the
company been in business and who is your target market?Venkat
Thiruvengadam: DuploCloud is an end-to-end
low-code/no-code DevOps automation and compliance platform, designed to make
DevOps and Infrastructure-as-Code accessible for everyone. I was one of the
original engineers at Microsoft Azure and AWS, where I saw Azure grow from a
hundred-odd servers to millions of nodes in just a few years. After leaving
Microsoft I realized that such hyperscale automation techniques had not made
their way outside of companies like AWS, Microsoft, and Google. This led me to
found DuploCloud in 2018 with a goal to bring the hyperscale automation
techniques to mainstream IT.
DuploCloud
is a software platform that helps companies ranging from startups to publicly
listed enterprises that are building enterprise-grade applications or migrating
to the cloud, save time and money. The DuploCloud platform translates
high-level application specifications into detailed and fully managed cloud
configurations using best practices around security, availability, and
compliance guidelines.
VMblog: How are security and compliance
factoring into DevOps teams? Are they responsible for building this into their
apps?
Thiruvengadam: While there are several best practices around
how to configure a certain infrastructure, there are now industry specific
standards that govern how these configurations are to be made. A few examples
are PCI in Finance, HIPAA for Health and NIST for the public sector. This has put
pressure on Devops as now in addition to operations and programming they also
need to have a deep understanding of various compliance controls. As if
operations and programming were not sufficient in one human being, we now are
asking for them to be experts in infosec as well. End of the day Devops is
responsible for the security of the infrastructure and has to do their bit to
get the compliance certificate that the organization needs to do business.
VMblog: How are security and compliance
related, and where do they differ?
Thiruvengadam: Security
and compliance are not one and the same. While both concepts help companies
manage risk, compliance is a guideline and security is the implementation of
that guideline. Compliance is about a written standard which defines controls,
but security can be abstract. One person's view of security best practices may
differ from another. That is where compliance standards come in and force a
certain implementation. Though some compliance standards like NIST, PCI and
HiTrust are more prescriptive compared to say SOC 2 which is non-prescriptive.
Compliance is a bit higher level, security control is specific. For example, a
compliance standard could say, "make sure your network infrastructure between
production and non-production is segregated and separate," but security
implementation determines how it is segregated - through security groups,
infrastructure-based, etc.
Now
the main similarity is that both
security and compliance are meant to manage risk. Compliance is a way of
measuring security as well. The key difference is that security is an ongoing
phenomenon, whereas compliance is simply a once-per-year certification process.
For this reason, compliance will always be a few steps behind current threats.
Of course, teams need to maintain compliance, which means making sure security
controls are in place.
VMblog: Why is compliance important to
startups and SMBs?
Thiruvengadam: Security
and compliance are necessary for every industry. In fact, 80% of data breaches
are caused by human error. Although this is mostly true in larger companies
compared to smaller ones, SMBs still critically need business process security
policies - especially since startups who are selling to larger companies need
to be compliant to even be considered. Lack of compliance can cause a company
to come to a screeching halt when trying to go to market quickly. Organizations
must put processes in place to determine how to identify and respond to threats
as well as how to safely handle and dispose of data.
VMblog: What are the current trends you're seeing
around compliance standards/threats?
Thiruvengadam: Meeting
a compliance standard usually has three parts: process, documentation and
control implementation. We are seeing that the process and documentation part
is becoming easier with the advent of the category of automation solutions like
Vanta, Drata, TugBoat, etc. Control implementation is now becoming harder
because the standards are now becoming more prescriptive and hence adherence
requires more work. Further there is more visibility to compliance gaps which
puts pressure on the implementation team.
VMblog: How has the DevOps skills shortage
affected the need for no-code / low-code security & compliance solutions?
Thiruvengadam: DevOps
is a skill set that requires a single individual to be proficient in operations
and security, as well as programming i.e. Infrastructure-as-Code. These have traditionally been three
independent job profiles. Developers are not operators. Operator's programming
skill is limited to basic scripting and most operators don't have a good grasp
of compliance standards. DevOps automation is still largely DIY. With a
low-code/no-code solution we can substantially reduce the required subject
matter expertise. Younger and less expensive engineers can be trained to
deliver an outcome that is far superior than a DIY system operated by expensive
SMEs. An end user can choose to write no-code exclusively through the UI. Or
one could use the low-code scripts that allows them to write 90% less code and
not require any subject matter expertise in security or compliance as that is
all baked into the system.
VMblog: Can you speak to
Infrastructure-as-Code and where it's headed?
Thiruvengadam: Infrastructure-as-Code
(IaC) has gained wider adoption among DevOps teams (as it should have given it
was a vast improvement to what was available at the time). IaC is still a
programming tool that does not write itself. It is up to the DevOps engineer to
interpret the application needs and compliance controls and then translate them
into IaC code. DevOps is largely DIY and takes months to years. Also IaC is
great for creating one time topologies, but making changes is very hard. With
the rapid pace at which developers are fragmenting the application topology
with microservices and the cloud providers adding new services daily, IaC in
its current form won't scale. Already hiring a good DevOps engineer who is
proficient in IaC is very hard. IaC will need to evolve. It cannot be purely a
client side scripting tool. There cannot be so much DIY and ongoing operations
need to be easier.
I
think we are headed into a new category of solutions that I would call
DevOps-as-a-Service. Here one should be able to provide a higher level
specification and reference to a compliance standard and the system should be
able to figure out the lower level details, build and operate the
Infrastructure. IaC would still remain as a user interface but we see users
required to write a lot less code and need a lot less expertise.
VMblog: In a nutshell, what would be your
recommendation to companies who are wanting to improve their security and
compliance?
Thiruvengadam: Take
an overarching approach to security and compliance. Understand the risks to
your organization's data, and know your legal and regulatory obligations. Make
security part of early provisioning workflows rather than a post-provisioning
afterthought. Keep tabs on what is already available in the industry before
attempting to build something in house.
##