Supply chain disruptions, intellectual property theft and the rising cost of data breaches are among the top reasons for a drastic increase in global focus on cybersecurity compliance.
Regulated industries face more stringent requirements, and some organizations now require third-party assessments instead of using internal teams to verify compliance with cybersecurity frameworks. Non-regulated industries can also leverage the same standards in order to reduce their security risk. Compliance automation is increasingly important to manage the growing burden that security teams face.
Why automate compliance in the first place?
Data breaches are expensive. Various reports indicate average costs for a data breach is in the millions, and security teams are already overwhelmed and understaffed. This is a strong call for using automation to help with compliance initiatives.
Due to understaffing and tight labor markets, the most sensible means to advance your compliance initiatives is through the use of automation. Automating compliance is a key component of managing the work and reducing risk. The open source project Compliance as Code offers tools to help with this. Security automation content is available in SCAP, Bash, Ansible and other formats to help with verifying required system configurations and remediating when necessary.
About Compliance as Code
The Compliance as Code organization on GitHub is a Red Hat originated project that spawned from the collaboration of government agencies and commercial vendors to make Security Content Automation Protocol (SCAP) content more accessible to users. Since its inception in 2011, the project has evolved to include commercial security profiles — such as The Payment Card Data Security Standard (PCI-DSS) and Center for Internet Security (CIS), and to accommodate modern automation tooling.
Today, the Compliance as Code project provides general-purpose security content and building tools that commercial vendors can quickly develop and collaborate on. We have used these capabilities to deliver customer value through automated compliance solutions. However, compliance reporting can pose a challenge due to the nature of the reports and process. Ensuring accurate results in a spreadsheet takes time and effort and often duplicates work. Automated report generation can improve the efficiency of this job and get reproducible results into the hands of customers and contributors with less delay.
New approach to compliance reporting
Organizations, especially those in regulated industries, must often attain an Authority to Operate (ATO) to install and use software in their environments. Part of this process is to evaluate the software against a Security Requirements Guide (SRG), which is a set of technical controls such as those found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.
This evaluation is done to determine whether or not the software meets, does not meet, or can be configured to meet each control, or whether or not the control applies to the particular software. Depending on the determined status, other text-based information may be required.
The evaluators may need to provide manual instructions or code to explain how to verify status. To configure the software to meet a particular control, they may also need to provide the code necessary to reach that configuration. The product of this exercise is a Security Technical Implementation Guide (STIG): a configuration standard consisting of cybersecurity requirements for a specific product.
The development of STIGs, a laborious process, is made more challenging when spreadsheets are involved. The US Defense Information Systems Agency (DISA) provides organizations with spreadsheets containing the security requirements for particular software and all the fields that may or may not need to be completed based on the status of each control, and there can be 100+ controls. Specific challenges an organization could face while working toward completion of that spreadsheet include:
-
Keeping track of who is doing/has done what
-
What fields need to be completed based on the determined status of each control
-
Ensuring correct formatting of content
-
Quality assurance
Red Hat is improving and streamlining Security Requirements Guide (SRG) processing to get Security Technical Implementation Guides (STIGs) to customers faster and more efficiently by automating the STIG generation and verification process.
The Compliance as Code codebase has been enhanced to produce STIG content based on previously vetted checks. The STIG content delivered now inherits the test process that is already done on Compliance as Code content and reduces any errors with automated comma-separated values (CSV) file generation.
The process has started by streamlining SRG processing, but Red Hat does not intend to stop there. Many of the same problems are faced in different groups. To implement holistic solutions, we intend to incorporate frameworks that apply to customers around the globe and that spread across industries. Compliance as Code is a home for collaboration and iteration upon existing solutions to better serve customers and the community.
Learn more
We have introduced you to Compliance as Code and how Red Hat is helping to make automated compliance reporting accessible to everyone. If you would like to learn more, visit the Compliance as Code content repository and learn more about compliance management here.
저자 소개
Andrea Hall is a problem solver and security compliance enthusiast, working across the organization to create efficiencies. Andrea joined Red Hat as a Solution Architect in 2019 and moved to Product Security in 2022. Her prior experience includes social work, entrepreneurship, digital forensics, and cyber intelligence analysis. She currently resides in Maryland with her husband and two teenage children, and is current pursuing a Graduate Certificate in Strategic Management.
Jennifer Power joined Red Hat in 2021 as a Solution Architect for the North America Public Sector. She brings over eight years of experience working in IT services for the public sector and has a Bachelor’s degree in Computer Science from Old Dominion University. Jennifer is passionate about learning new technologies and is focused on contributing to the open source community to benefit the public sector and regulated industries.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.