Compliance As Code: shift-left and shift-right approach in a Cloud world

Maintaining compliance in a Cloud world requires a new approach that maximizes the balance between agility and safety. Just like we use infrastructure-as-code in infrastructure automation and approach of CI/CD in application lifecycle management, at the same time our DevSecOps teams should adopt compliance-as-code, especially in a cloud world. We can introduce compliance-as-code on the left side of the DevOps lifecycle and/or on the right side. Working on the left side we can detect issues very early in the process, but our tests are limited in scope, more related to a specific workload. On the right side, we can detect and remediate issues that would be difficult to anticipate during the building phase, we can assess the resources against requirements defined at a more high level, but the improvement requires more effort. On the left side, we can leverage general-purpose tools such as OPA - Open Policy Agent - an open-source engine incubated in the CNCF. On the right side, it's better to leverage services provided by the Cloud provider as AWS config

Comments

Please login to leave a comment

Massimo Bianchi at 12:54 on 15 Mar 2024 (via Web2 LIVE)

Interesting approach. I would love to see a NIS2/ DORA/ PCI/... Preset of available rule sets

Ciro Cardone at 13:20 on 15 Mar 2024 (via Web2 LIVE)

Illuminante

Antonio Turibbio Liccardi at 13:20 on 15 Mar 2024 (via Web2 LIVE)

Bravissimo speaker, contenuti molto interessanti, ottima esposizione

Federico Bonarrigo at 14:44 on 15 Mar 2024 (via Web2 LIVE)

Bella presentazione, forse un po’ troppo calata in uno specifico contesto di piattaforma AWS

Giuseppe Genovese at 00:26 on 16 Mar 2024 (via Web2 LIVE)

Ho trovato il Talk davvero interessante, l'argomento mi è piaciuto tantissimo. Nel periodo in cui siamo, con l'avvento di gpt le scadenze vanno via via diminuendo e se l'AI lavorasse a braccetto con questa tecnologia si potrebbe di nuovo raggiungere una nuova era dell'IT 🚀🚀

Alessandro Chiarini at 10:26 on 16 Mar 2024 (via Web2 LIVE)

Io ho faticato molto a seguire il "senso" di questa talk, secondo me molto interessante. Avrei forse capito meglio (ma sono fatto male io, me ne rendo conto) se ci fosse stato un caso d'uso concreto (healthcare, finanza, retail) dove i requisiti di policy guidavano e facevano spiegare scelte e strumenti.

Mauro Cardillo at 09:28 on 18 Mar 2024 (via Web2 LIVE)

Ottimo talk, Paolo ha trattato un argomento di cui pochi parlano (la compliance nel mondo cloud) con chiarezza e semplicità, propria di uno speaker preparato e competente sulla materia. Bravo!

Luca Bovo at 10:34 on 19 Mar 2024 (via Web2 LIVE)

A brilliant presentation about a must have in management of complex Cloud environments: compliance + the right tooling to manage its lifecycle!
Really interesting and well explained!

[email protected] at 17:46 on 19 Mar 2024 (via Web2 LIVE)

great insights

Paolo Latella

Friday 15 March 2024 from 12:45 to 13:20