New open source tool automates compliance

Chief Information Security Officers are hounded by two questions: "Is my company’s technology compliant?" and "Are all of the cloud products and services our company uses compliant?"

Compliance continues to be a major issue inhibiting cloud adoption across enterprises, especially those working in highly regulated areas such as government, finance or healthcare. In the healthcare sector, for example, a provider may want to secure patient-related medical data on the cloud. And that company has to know whether the cloud technology is HIPAA compliant or covers other security requirements.

Compliance, both regulatory and self-imposed, is an area where there is a technology trend to “Shift Left” (developers’ term for the effort to prevent compliance issues, not just detect them) into the development process, and compliance controls. By building compliance into the DevOps workflow, developer teams can save time while creating secure and low-risk code. To help these developers minimize the risk of noncompliance, our team developed Trestle, an open-source tool for managing compliance as code, using continuous integration and the National Institute of Standard and Technology’s (NIST) Open Security Controls Assessment Language (OSCAL). Trestle was created to help developer teams with the challenges of IT compliance, which frequently includes:

• Relying on human labor-driven processes for compliance as opposed to “codifying” it.
• Many control implementations for each control each of which are unique within organizations when lacking a standardized interpretation of compliance.
• Documentation that is hand crafted for each audit and recreated for each and every audit.
• Heavy reliance on human labor to collect evidence of compliance when requested by auditors or assessors.

Today, this challenge of compliance requirements is conflated by the increasing expectation and scope, both of the market and of government regulators.

Three keys to streamlining the compliance process:

1. For tooling and platforms to be opinionated, enforcing a particular interpretation of a control, to provide consistent best practice.
2. For evidence of compliance to be automatically collected and visualised.
3. For compliance posture and documentation to be stated once and reused within the organisation, such that there is always one authoritative source identified.

For these first two factors, IBM has released a number of tools within the past year, from the IBM Security and Compliance Center to Auditree. The challenge that remains is the documentation and, critically, how to minimize duplicate efforts for documentation, to create a single source of truth.

Across IT development and delivery there is an increasing trend towards managing various artifacts (such as configuration, and infrastructure) as code – whether it is infrastructure managed as code through Ansible and Terraform; continuous integration through Tekton; or deployments through Helm and Kubernetes. ‘As code’ patterns are a key enabler of agile development. In effect, it is unifying what was previously documentation as code — and manage it as code. However, compliance has stubbornly resisted this trend, in part because the underlying formats (such as spreadsheets and pdfs), are focused on human rather than machine interpretability. The emergence of OSCAL provides an open standard for compliance, which addresses this.

Trestle was created to manage compliance, and compliance documentation as code, to allow compliance to co-exist in the same world as the developer. We have adopted the emerging OSCAL standard, and the latest 1.0.0rc2 version by NIST, to act as the single source of truth. OSCAL artifacts allow documentation of the full lifecycle of compliance from documenting standards such as NIST 800-53 to the report auditors would receive.

The challenge we quickly realized is that OSCAL is confusing to end users – the NIST 800-53 catalogue published by NIST is over 70,000 lines of JSON. To this end, Trestle seeks to make it easier to deal with OSCAL. It includes a Python library to manipulate OSCAL objects with strong consistency guarantees, as well as a set of command-line interface tools to make it easier to manipulate OSCAL. The latter allows users to deal with smaller fragmentary OSCAL artifacts in a clean way where users are never required to copy and paste. Trestle can aggregate information and publish it for a user in a standardized and structured format.

Another feature is Trestle tasks, a curated set of automated compliance workflows. A few current examples include:

• Collect information, together with Auditree, from the OpenShift compliance-operator, and transform it into an OSCAL assessment result.
• Transform data coming from ‘Tanium’ endpoint management into an assessment result.
• Manage OSCAL artifacts under an the same automated “semantic release” approach taken by many projects.

Trestle is an evolving journey to streamline compliance and embed it in the development process. Read more about Trestle’s set up, and a tutorial about how it works, or drop into Github to explore the code.