You Can "Trust" Me, I'm "Compliant": A Practical Approach to Automating Compliance and Demonstrating Trust

all right I'm not really sure if I'm supposed to start right this second but cutting into my time and I have lots to say um so my name is Adam Duman and this is you can trust me I'm compliant seeing as I'm the opening act I do want to really quickly thank b-sides I think it's 13 years and 10 and a half events 11 events something like that uh super super cool to see really really glad to be in the room with everybody today obligatory these are my opinions and not my employers opinions yada yada and then a little bit of background on The Talk this came to me the idea for this came to me while I was attending besides Las

Vegas last year really really really good talk from Shane angle and Wendy Knox Everett I want to say it was I'm a little bit fed ramp I'm a little bit sock to enroll something like that it was about kind of the differences between sock 2 fedramp compliance what that looks like how that operates and at the time I was deeply involved in evaluating fedramp and looking at it and feeling all that pain for myself and that got me thinking about how I have spent a lot of time digging through that information through that and they talked about Concepts that made sense to me automatically and you know the classic talk about something you know a

bit for a talk so quick question raise your hand for me so I can get a sense of who's in the room right now please if you've been involved in a compliance effort in any way whether it's as a practitioner engineer you've suffered through something I love and hate to see it okay uh how many of you consider yourselves to be GRC first people cool okay and then engineering or technical more focused even better good and then who thinks there or got them one who can do both it's okay to toot your own horn there that's fine that's that's the ideal I think um so we'll jump into a quick little story here right my

I see how it is John [Laughter] I know okay so there once was a man named Adam who was running a security and compliance program across the board for a little org in Phoenix Arizona as a baby security analyst and learned this lesson the hard way Ian Coldwater has a lot of wisdom for us and I volunteered for the security analyst role and our CTO looked at me and went Yes sold and I have not regretted that decision but I have lived with that decision ever since I accidentally into security and I think it is a cliche quote but it's very very true and what ended up happening is I'm standing there and I'm just poking away at our internal Network

trying to decide is Sumo logic going to work better is logarithm better how are we going to monitor This Cloud hybrid environment and that same CTO wanders over and goes what do you know about sock what sock and he's wearing Jordans and I know he's a bit of a sneakerhead very confused for a moment yeah talk that that you guys the compliance thing sarbanes-oxley sock 2 security like secure organizational controls what are we looking at and he was talking about sock 2 type 2. we had a client who wouldn't move forward until we had sock 2 type 2 ISO 27001 some of that fun stuff and for a company that was regularly skin of our teeth PCI level one adding

that kind of stuff in as well was going to be painful it's actually a decent little segue into me lots of alphabet soup it doesn't really matter unless it matters I'm currently working at vanta so that's our little mascot over there ilma I'm a bit biased on this topic because of who I work for and what I do I've spent a lot of time as an engineer and analyst all kinds of other stuff and trying to think of the best way to put it living on both sides of the table gives you a really interesting perspective when you've been assessed that's one kind of pain when you are being assessed that is a different kind of pain

and then when you're doing the assessing it's all of it especially if you've sat on both sides I think one of those places that that comes into play the most does turn into the prep for an audit the prep for an assessment assessors are interesting people I know because I am slash was one and it's an interesting Dynamic right if you've been for a lot of people in here have said they've been assessed before so sit down with the assessor whether it's Zoom wherever and that's a give and take that can be really really stressful a lot of times there's a scenario where I need to cover this up I don't need to give this up I

don't want to cover this up I need to show this I need to tiptoe around this a little bit and that kind of gets into that trust portion building that relationship with your assessor building that relationship with your internal stakeholders is crucial so why am I talking about all this nonsense right what what's blah blah blah blah I think we're in a scenario right now where you know with devsec and devsec Ops and devsec and platform engineering and driving ever increasing interoperability between apis and Cloud space like the pace of change is increasing every day the battle for zero trust is fighting with the battle for compliance compliance management trust management xdr EDR blah blah blah blah

blah those terms are pretty leaky if you think about them for a minute compliance management makes some sense the line between xdr and EDR maybe a little bit more fuzzy and there's we've probably all been subjected to a very very bad sales pitch that's just all buzzwords all soup I want to specifically take a look at compliance automation trust management and what those mean in practice so compliance automation super generic sounding term and it is kind of self-explanatory what it does right you're automating compliance it's fairly well understood fairly well kind of you know I don't want to do stuff by hand for a long long time there was uh you know I'm learning python I'm learning to automate things I

don't want to do you know what should I automate next and the response was what are you still doing by hand compliance automation could be automating evidence collection could be automating evidence submission it could mean almost whatever we want right I I there are a couple vendors out there that have a really really well-built portal where you upload evidence they've got all the compliance requirements written in there you upload directly into the portal your assessor can look directly at the evidence accept reject streamline all that all that workflow and in my mind that kind of counts as automation too it doesn't have to be fully automated but the ability to take a more hands-off approach to

getting evidence collected handled tested whether we're talking for internal audit external audit prep work being able to pull that and showcase it in an easier way is hugely important trust management is where we start to get a lot more leaky and Squishy and does this really mean anything or what does this mean I gave this talk to my leader to have a look at hey does this make any sense I'm not going to give you the talk but look through my slide deck tell me if this sounds like absolute bunk if this makes sense do you get where I'm going with this and he left a comment on this slide about how he thinks the industry

definition is what was it the operational processes of assessing the reliability security and risk of third parties on an ongoing basis for what it's worth I hack that together and I replied with out of curiosity how is that any different than the definition or a reasonable definition of vendor and third-party risk management or even just compliance management that sounds like what we're already doing in his repo his reply verbatim was it sounds more fancier and that's pretty much how I think about the trust management buzzword right it makes sense when you think about it but I I think it's acknowledging a lot of sections that are not traditionally thought of right a lot I know a lot of us

definitely me I find myself thinking about Security in a vacuum and it's an infinite black hole when it's a vacuum when you have no other considerations know their needs nor their demands it becomes this never-ending oroboros that just eats its own tail and you're there's always another thing always more happening and trust implies a lot more than just meeting expectations trust implies or should at least uh trust implies that there's there's an element of brand Management in there there's an element and an acknowledgment of Human Relationships reputational management it's a much broader thing than we have our sock 2 type 2 we have fedramp we have ISO 27001 it goes a layer Beyond even third-party

vendor management and Dives a lot more into specifically how do organizations work with each other and support each other and what does that ecosystem look like when you don't have to look over your shoulder I'm not personally a big fan of trust but verify I think it's verify and give credit where it's due and I think that's where trust management is going but it really is still kind of a brand new made up term it means what we want it to mean when we wanted to mean it and so okay there are two sides of the same coin right trust management is expanded compliance management kind of I think they are very very similar compliance over time builds trust

compliance over time shows that you do the right things it shows that you are at least meeting a certain Baseline it's a really really valuable way of uplifting an organization that may not already be doing the right things that may need that structure to start building on but just from the show of hands earlier I definitely seems like most people in this room have kind of eyes open about what is actually involved in compliance weeks of prep work sometimes months of prep work depending on what you're looking at and a lot of effort to manage and navigate a pretty thorny process a sock 2 report for instance is only valuable if it addresses actual concerns

there's a I think it was Wendy Knox ever it talked about this as well but you can get a sock 2 on a napkin if you find an assessor who will do it a bar napkin sitting there here's 10 grand here's my sock 2 language I want to prove that this napkin is secure and that is a legitimate sock too it's written by an Assessor can be signed by a CPA good to go but that probably doesn't actually prove anything about anything but that napkin and sock 2 is a good example of where the trust portion of this really comes into play because it has anybody in here actually read a sock 2 report sat down and read one

cover to cover end to end fun good stuff lots of word salad and just it's easy to look at it and have a vendor who says oh yeah we're stock 2 type 2. are our observation window is six months or nine months or 12 months or three months and I've sat down and looked at a sock 2 report and there's this isn't what we're buying from you I'm not buying this product this is on a totally different product this report isn't addressing concerns that I care about because you get to Define your own scope as long as long as your assessor agrees that this is reasonable the language is reasonable their controls are reasonable it's fine do the assessment get the sock

too give it to your vendors and your partners and that's a big part of where we start to get again into that weird place where compliances is compliance security is compliance trust management how do they overlap it comes back to the idea that context is everything a sock 2 report that doesn't cover things that I care about as a security practitioner doesn't provide value it doesn't build trust it doesn't show me anything except that this company can achieve a sock 2 report the differences between trust management and compliance management are many I guess we'll say some of the bigger ones are the classic compliances dumb compliance doesn't help compliance doesn't show much because it really does validate minimum

effort I know as a qsa there's a world of difference between letter and intent of requirements there's a world of difference between implementation and letter and intent I've seen environments that were extremely secure air gap networks all kinds of stuff but we're not compliant because they weren't doing things in the way that PCI DSS wanted them to significantly more secure but 10 plus compensating controls to demonstrate that you're doing things the right way just because your implementation is better than the Baseline is one of the places where it starts to break down kind of a lot the other thing that makes them very very different is compliance can show that you're doing the right things for the right reasons

but it doesn't necessarily mean that you are it means that you're you're doing at least something not necessarily for the right reasons and then you know how many companies have been breached that are compliant with all kinds of stuff right compliance shows you can do some stuff it shows you've made a couple things happen doesn't prove that you're actually trustworthy doesn't prove that you are a company that I want to go into business with that's why we still see security questionnaires that's why we still see all kinds of other organizational processes to make up those differences between where compliance fall short and where we're trying to build that trust with other organizations where we're trying to build that relationship with

their security team with their sales team to better understand if we want to engage with them and I think that that you know does that sound trustworthy does just doing the minimum doing what you have to do I do I have to have a pen test for sock 2 no not required should you I should probably get one that's kind of helpful for a lot of other vulnerability management work I don't have to and that's that's an interesting thing to come out and bite you if you're working with a company oh yeah we have the stock two type two here you go do you have a pen test report no we didn't do that we don't have to

hmm maybe you can't afford it maybe this maybe that lots of reasons but that tells me something as a partner about skin in the game about buy-in about desire to demonstrate Trust so most people in here have been through some form of compliance effort right the status quo for those of you who don't is pain it's spreadsheets emails weekly calls massive document request lists I think when I was an active qsa I've had a tracking sheet that I ran out of excel because that's how it still works and a lot of a lot of places that for some assessments is over 1400 rows long with statuses and all kinds of different like I need this I don't need that

rewriting the request for evidence based on the customer's environment and when I would send that to customers these are usually very large organizations with pretty robust GRC teams and good compliance management and all that but it's still not fun to receive that kind of an email hey I uploaded the tracker to our secure portal please go download it and have a look that's a great experience that feels wonderful when you're starting an assessment download it open it up oh crap there's a lot in here this is gonna suck and this goes back to taking on that security analyst role after a few weeks of rummaging around buying ISO 27001 and 27 0002 and reading through them and starting to

kind of map out what we're already doing what we're not doing what it looks like how to do it how not to do it does this overlap with PCI finding all kinds of other places and resources it dawned on me that oh our annual PCI assessment is coming up again I need to start double checking all that evidence and figuring all that out pulled the report from last year pulled all that went and started looking at evidence pulling stuff double checking yes ASV scans are running all that good stuff is still happening qsa shows up we start the engagement and it's right back to weekly phone calls on-site assessment this that here's your spreadsheet here's all your other stuff

and as a qsa the same kind of thing I know I've got this engagement coming up I know I have all this work coming up balance it all across multiple clients multiple environments remember what environment is doing what based on last year this year constant spreadsheet updating jumping between different Tech stacks and I never felt good having been assessed before it always felt really bad to send somebody a spreadsheet that I knew I didn't like that I knew I found clunky and painful and really really obnoxious and go I'm proud of this here's my work product that didn't feel good for me so on top of all this spreadsheet passing back and forth and screenshotting and pulling reports

running scripts to get configuration out of Windows Linux all kinds of stuff your assessor auditor also gets a vote on your compliance and your trust right right we don't decide that unless you're doing a self attestation and this is not a comprehensive list obviously there's a lot more that goes into it than just four things that feed into two things that feed into your report or your certificate but this is where having that relationship that ongoing relationship is important because on top of you knowing what's going on internally your assessor gets to say you get a say your stakeholder is going to say there's so much happening it's not like a Thai stage right this is

totally not an important thing for the company customer is also going to say internal and external security is going to want probably more than what compliance strictly requires sales teams are going to be annoyed that they have to log into the demo environment MFA right super reasonable I think most of us would agree that MFA is probably a good thing to do it's well understood I'm not going to get into whether SMS MFA is better or worse whatever that but just adding MFA in front of a sales environment can cause a lot of friction but that's required for a lot of different compliance standards developers are going to want to move fast and break things

screw change management screw this I want to build it and ship it and we want continuous release how do we manage unit testing how do we manage all the other elements that go into that without introducing additional friction so there's that push-pull as well there is some hope though right it's it's a bleak landscape but it's getting better the days of spreadsheets are starting to go away I mentioned earlier I work for one of them but there are several players in the field that are doing compliance automation trust management designing platforms that make this easier for assessors companies individuals and I'm not going to dive into which one is best and which is worse and exactly

what that looks like but there are some cool ways to start doing this yourself without having to go buy from somebody at the end of the day the cloud might be someone else's computer but for our purposes the cloud is a series of interconnected apis and we can interrogate those apis to get information it's harder if you're on-prem primarily but ansible there's tooling out there that can really help with that but we start with the fundamentals they're fundamental for a reason identify your business objectives if you're trying to drive a compliance initiative that nobody cares about because it's not helping to close deals it's not helping to improve nobody the business doesn't care about it it's

going to be an uphill in the snow both ways effort take a risk-based approach all compliance is risk-based at the end of the day as an Assessor I've seen some stuff that is sketchy dubious shall we say but it's based on risk tolerance it's based on organizational need and I don't get to dictate what that is I dictate do I think this control meets this intent this letter this requirement I don't get to tell you how to handle your own businesses risk spending time with your stakeholders again to design a control ecosystem that works that isn't introducing too much friction that isn't over engineered you can always do that that's that's super easy I mentioned earlier security

is an infinite black hole if we want it to be if we start with controls that make sense for what we need and where we're at today there's some tap dancing you can do to convince most assessors that they're fine unless you're blatantly not doing something most assessors are pretty reasonable people in my experience I am one I like to think Iowa um implementation right putting them in start simple test often if you're pulling info out of AWS let's say I think I forget the name of the exact section but compliance manager covers a bunch of other sections of Watchtower and all kinds of stuff in AWS you can interrogate those apis pull data out

what's our default configuration are we compliant against these controls they have a lot of that pre-baked in your Cloud platform all of them Azure has a fantastic portal for it all the cloud providers do something along these lines as you start relying more on that start small test often your own trust in that system will grow whether it's scheduled reports whatever you'll get more confident your company will get more confident in the output and you can start to accelerate it and turn it into more of a loop eventually this thing turns into a circle we hope and if this looks similar to RMF the nist risk management framework that's not by accident I do think RMF does work pretty well

when we spend time on it it's important that we remember that and I'm going to hand on this couple times but it's about the business objectives it's a classic GRC take but we have to align what we're doing and how we're doing it with what the business can tolerate because if we don't Shadow I.T is going to happen the sales team is going to find a way to bypass MFA they're going to be right back in there that demo account with all your special sauce is now going to be live out there on the internet for everybody to see and we that's that's one of those things that that breaks trust whether you're compliant or not

so how right what am I supposed to automate how do I even do this what does this even look like at all in practice and there are a couple different tiers I would say you've got a whack-a-mole approach I don't like pulling this report I'm going to automate my infrastructure as code right terraform do that get that set up and then I can run a report I can get my terraform configurations out kick those over my Assessor not having to deal with individual hosts the first time I saw terraform I wasn't super excited wasn't super pleased oh crap I'm just taking it on faith that all these this entire infrastructure is following this but it kind of can't not

that's kind of the point it's deployed that way hopefully there's no drift and if there is should have alerting for it but again I don't necessarily get to dictate that there we go I get to look at your terraform and say the way this is designed the way this is deployed as deployed meets my expectations and meets the expectations of the assessment moderate effort this is probably when you start looking at more of a build by partner question again it's a bunch of interconnected apis most of this is surfaced not all of it but you can pull info out of your HR System for active users a lot of times you're able to pull info out of

background check companies right if you're using a more some of the more I don't want to say light touch but some of the more light touch Speedy background checks they have a lot of this info info available via API as well it's doable I've done it before to take all that lots of power bi that was fun uh and build a dashboard ongoing compliance monitoring check in first thing in the morning are the little lights blinking green are they red how am I doing here that's a lot of work start thinking about buying do we buy a tool that does this is there something else we can do that pulls more of this together and

that's when you start moving into high effort High maturity work where you're taking a more structured approach you've got program management right an actual compliance and security program that you're able to replicate and repeat instead of one-off I need to be compliant in August I'm going to start prepping for it in June or July it becomes a repeatable process that's when you know you're really starting to find some sauce with automation is when repeatability becomes expected not just a thing that happens and a lot of this comes back to your stakeholders talk to your business units talk to your part business partners they'll tell you what they do I don't know many teams that don't try

to do their best partnering with them earlier in the process is going to give you better results asking them what's your normal workflow for this oh we can actually help with that I can speed some of that up if we use this or if we do it this way take some of that pain off automate it set reporting flags for user accounts older than 90 days right that's little stuff like that can go a long way if you show your HR team how to think about how to even support that you might not want them doing access reviews for you what that can indicate right oh we've got a lot of accounts that are that old

we might have a broken process I can help fix that process and then we all win together I get what I need HR gets what they need it's no longer complaining quite as often about access reviews you can even automate access reviews to a certain degree if you can centralize a dashboard with all your users all their active accounts names associations that's where it gets really Mucky and there's a lot of weird stuff going on in there but that is absolutely doable as well last little bit don't really it's easy to over engineer something like this and really want to build something full and done and I want to get all this off my plate if I can

don't over complicate it focus on doing the easy stuff first monthly reports schedule what you like little automations where you can binary Flags in your system is this hard drive encryption may or may not really be effective I think it is but you know uh but yeah encryption at rest on your drives a lot of times you need something like that for compliance is it on or off are my databases encrypted on or off binary feature Flags like that that's super easy to pull super easy to surface and that's kind of how you start demonstrating that there's value in this rather than having to go look at it constantly you just know it because it's

there it's exposed and you can pull that information yourself there's a couple caveats here the quality of the automation overall relies on its output being trusted by everybody you have to trust that you're testing the correct things in the correct way your assessor has to trust that you're testing the correct things in the correct way I I'm not going to be super comfortable as an assessor walking into a room and sitting down and I see a dashboard with a bunch of green dots dot green compliant that that's not going to work for me I need to understand what's happening under the hood there I need you to show me what is this test actually doing how are you

actually validating this once I've been shown that oh I can trust this this makes sense to me I might need an artifact depending on what framework you're assessing against different collection requirements evidence requirements that kind of thing I might need you to show me that like an example of one of those tests as a Json object that I can save and just store and keep not that that's great evidence but as long as you can show me that it's a trustworthy result I might want to revalidate now and then that you haven't mucked around with logic but that's part of building that relationship with your assessor building that trust with your Assessor it also doesn't really solve for auditor

variants because of that in a room of three qsas you'll have 40 different opinions on one topic that's fairly true for a lot of other compliance Frameworks as well and it this can make dealing with that easier when you have regimented logic that you can show this is an automated system doing the same thing every time here's the output here's why you should trust it it makes it easier to deal with that who Moved My Cheese moment that a lot of assessors have once you get into a flow with stuff once I'm doing assessments I get a workflow I like questions I like to ask oh this isn't what I was expecting that's you know record scratch

moment for me and the ability to just show me here's what's going on I'm a new assessor never done this before your old assessor might have agreed I don't oh that makes sense to me okay cool easier to navigate that this also allows for operationalizing some really really interesting complicated processes I mentioned access reviews which can be super painful but there's a lot of other stuff too vulnerability management if you find out a way right there are a couple ways to do it gating what vulnerabilities you care about how you alert on them how they are surfaced you can do some pretty cool stuff with automating your slas automating meeting your slas improving that automating categorization of

vulnerabilities to save other teams time having had to do both myself that was a godsend figuring out some ways to do work on that real-time monitoring can introduce risk though there are a couple products out there that surface your automated compliance posture basically in real time and that's a really really good way to build trust that's a really really good way to Showcase that you're confident in your control ecosystem you're confident in what you're doing you want to do the right thing you want to be out there and known and seen for being a good digital citizen but you do have to be mindful obviously if a control starts to fail if a configuration changes database gets spun

up that isn't encrypted yet and doesn't get caught in time and that's now out there public non-compliance isn't a great thing again there are ways around that where you you only show passing controls Maybe if that's an acceptable solution more power to you there are a couple ways to handle navigating that how do I show this how do I without having to deal with security questionnaires constantly without having to you know if you can direct somebody to a link here's our current status any questions here's a copy of our last report any questions sign the automated NDA let's go it can save time brain cells sleep all kinds of stuff and then yeah the final little bit right

remember that your cloud provider has most of this stuff built in you don't have to go reinvent the wheel unless you really want to a lot of them are very very good at surfacing this information showcasing this information you might have to go dig for it but they do have it they do have the pre-built configurations that you can even deploy that are pre-compliant when you deploy them and getting them them getting those systems talking to your expected tests and your expected outputs really really powerful time consuming I uh I like to say that I went and became a qsa out of spite because I had some rough qsas I had some assessors of the years who didn't

didn't quite grasp what was going on and weren't really interested in learning about it and after a couple years of poking at finding ways to reduce this pain and make it easier and make it I wouldn't say fun but more technical more interesting less clicky clicky polar report give me a spreadsheet I've found that there's a lot of benefit with dealing with engineering teams too this is a fun problem if they have some bandwidth this is a super fun problem good experience fun to build and that's trust management it is what you want it to be but it's about navigating those relationships internally and externally and finding ways to surface the results for everybody to see

thank you questions but yeah I only I literally only have those two social media so any questions any that's good I'll assume that was perfect [Applause] thank you thank you