This document discusses the challenges of achieving regulatory compliance for technology teams. It notes that compliance requires assessing risk and implementing governance. A case study of a fictional company's journey to achieve SOC-2 compliance over 12 months is described. The document emphasizes that compliance is as much a human process as a technical one, requiring documentation, evidence gathering, and engagement with internal and external auditors. Automation is key to reducing the documentation burden, and compliance must be viewed as an ongoing process rather than a one-time event.

2. Compliance is Hard:
Two Worlds at
Odds
John Martinez
April 2, 2015

4. About Me
4
✴ Been doing DevOps and Cloud stuff for ~5 years
✴ Did heavy Chef work for ~3
✴ UNIX throat beard since way back
✴ Compliance scars on my back
✴ I now talk to people about security for a living
✴ I recently built my 2nd Raspberry Pi (random fact, but true)

5. “When management says you are going to meet regulatory
compliance, Don’t fight it. Embrace it! Because compliance done
right is also best practices, and who doesn’t want to be the
best?”
Wayne Sisk, Compliance & Security Manager, Adobe
5

6. What is Compliance?
▪Boiled down: It’s about assessing risk and implementing
governance
▪Most common are government mandated and industry specific
compliance certifications
▪Compliance != Security
▪YOU: It’s not necessarily because management says-so…you
are a hugely important part of the process
▪Examples of regulatory compliance: HIPAA, FISMA, FedRAMP
▪Examples of industry compliance: SOC-2, PCI, ISO 27001
6

7. Typical Compliance Workflow
7
Define Discover Control
Report /
Certify
Test
Remediate
Where do I fit in?

8. Case Study - SoftCorp*
▪Embarked on a journey to SOC-2 Compliance
▪Define and Discovery took about 4 months
▪Control took about 3 months
▪Test / Remediate / Report took about 6 months
▪Total effort: 12 months: 4 dedicated people, 4 partially-dedicated
people
▪Most phases of the workflow overlapped
▪The final phase was continuous
*SoftCorp is a fictitious corporation
8
SoftCorp

9. Compliance is for Humans, Not Technology
9
▪Auditors and compliance officers don’t understand the
cloud or DevOps
▪Embrace it as a challenge to mold them in your way
▪You’ll have to talk to a lot of people, mostly internal
auditors and managers (meetings to schedule other
meetings BRING A LAPTOP!)
▪Don’t take questions about your cool architecture
personally

10. 10
▪Evidence gathering requires automation - let your bots do your
work for you
▪Tons of time will be spent writing automation of infrastructure
in the early phases
▪Tons of time will be spent gathering data from your
automation in the late phases
▪Self described systems 4TW
▪Chef is awesome for this (knife node show -l)
▪Log aggregation to gather your evidence
▪Save them somewhere else
▪Use 3rd party tools to have an independent view of your world
▪(I may know a good one!)
technology == automation

11. What will you be asked for?
▪Diagrams and diagrams and diagrams (of
networks and application stacks)
▪“Evidence” for “Controls" (i.e. TONS of data)
▪Your cloud provider’s certifications doesn’t mean
you don’t have to work
▪In fact, you have to prove you’re following their
customer responsibility requirement
▪In the test phase, you will need to sit through many
many long hours of meetings (or not) with both
internal and external auditors
▪HINT: let your internal auditors use the “no” word
▪More than likely: DOCUMENTATION
▪Because, why not do it with Chef?
11

12. What will you be asked for?
The Sensitive Parts
▪Cloud Configurations
▪System Configurations
▪Firewall logs
▪Application Descriptions
▪Network Access Testing
▪Authentication and Authorization
▪Privilege Escalation
▪Data Isolation
▪Segregation of Duties
12

13. Where can I read more?
▪Start with the Cloud Security Alliance Cloud Controls Matrix
https://cloudsecurityalliance.org/research/ccm/
13

14. Final Note: Compliance is Continuous!
14
▪You mean I’ll have to go through this
again?
▪Maybe you, maybe someone else, but
yes
▪Be the process
▪Bring it on! (other compliance projects)

15. Give me a shout!
15
✴ Twitter: @johnmartinez
✴ Email: john@evident.io
Come see us at Booth #104
Enter our drawing for a drone!