Complying With Automation

Thinking back to the early 2000s (I refuse to call them “the noughties”) it seemed that whatever technology you were talking about, the word “security” always came into the equation.

Fast forward to 2024 (for those who were keen cassette deck users in the day, it’s usually the button fourth in from the left) and it seems that – in its broadest sense – compliance is that key word. Whether we’re talking specific compliance requirements – and, to think, many people initially thought GDPR was just another “Y2K” scare show – or simple data provenance and governance, a combination of global government initiatives and mass data outsourcing (public cloud) has made data a very sensitive point of discussion.

Looking at the majority of product tests I’ve carried out over the past couple of years, whether it’s  FileCloud, SoftIron, Qumulo, Swimlane, or the SASE-related work I’m currently involved with, compliance has always been a key factor to consider as part of that evaluation process. So, in the same way that aforementioned Swimlane introduced low code automation to SecOps, it’s no surprise to see that a vendor, Drata, is focused on automating the entire compliance process within an organisation. After all, it’s not simply the ever-growing list of compliance frameworks that need to be managed, but all the use cases too: from startup, through ongoing audits, to risk management, integrations/APIs.. Argh!

So, Drata is introducing the idea of Compliance as a Code (CaaC) for the DevSecOps community. The basic concept is simple to grasp: stop the never-ending rounds of fire fighting (the band-aid approach), reacting to every change and irregularity and, instead, actually build that compliance management into the code, so that the software teams can identify and remediate potential compliance issues as part of the code development. At an IT event once, while on a panel, I created the idea of CSaaS – Common Sense as a Service – and CaaC certainly fits that remit.

In order to accelerate that CaaC process, Drata has just announced the acquisition of vendor oak9, technology that – among other things – continuously scans code as infrastructure and cloud for potential security and compliance issues. As Drata CEO, Adam Markowitz, notes, the CaaC approach means turning months of manual review and remediation (by which time new issues have arisen and overtaken the old ones) into minutes. It’s a concept I’m hugely familiar with, having tested with the likes of Rimo3, that automates the testing, migration and management of Windows apps to new platforms. Put simply, it is a case of automation making the unmanageable manageable, and avoiding excruciating – or even business-threatening – costs and delays as a result. And that is a result! Now, for all my fellow LUFC fans out there, let’s hope it’s matched by an equally good result on Thursday night…

Meantime, I would suggest that Drata is most definitely a vendor to keep both eyes on. Its focus area is only getting more complex by the day, matched by the increasing costs of failing to manage those compliance requirements. And, if you are still looking to do it “on manual” then all I can say is “good luck!”