maxkabakov - Fotolia
The deadline for General Data Protection Regulation compliance has come and gone. But organizations are understandably still concerned about how to achieve and maintain compliance. DevOps and automation could be the key to satisfying GDPR standards.
Assess your current compliance situation
Your organization's first step should always be to assess your existing capabilities. Paul Barnhill, DevOps strategist and vice president and principal architect at Cloud Technology Partners Inc., advised that companies assess their proficiency in the following areas:
- code analysis;
- software development tooling;
- determine if software code is well managed under configuration management; and
- determine if JIRA integrates with your software repositories.
This assessment can help identify ways to improve and assemble a plan to advance your processes and development toolchain to support your GDPR compliance efforts.
Shift security left for GDPR too
Experts often tell organizations to shift their testing left. But that goes for security as well and is especially essential to meeting GDPR standards.
Barnhill, and his colleague Brian Ott, vice president and general manager for managed cloud controls at Cloud Technology Partners, advised organizations to address security issues early in the development pipeline. As a DevOps shop, you can use this to your advantage. If you can shift GDPR compliance left, you'll gain an edge over companies that still address security issues at the end of their software development lifecycle (SDLC). These organizations -- in reality -- lack the bandwidth to involve everybody in design and other phases.
When you automate the SDLC, you can do scans and identify patterns across script injection, potential flaws and other related issues. This core principle of DevOps prepares companies to adhere to GDPR standards.
Barnhill also said that testing tool vendors have started to add capabilities to their products that identify security issues at the software and application level. Other DevOps tool vendors have introduced inspection capabilities to scan code at the infrastructure level.
Ott added that automation built into DevOps can prevent compliance issues from happening in the first place, whether it's for GDPR or another regulatory program.
Train your developers and operations staff in GDPR basics
As most IT companies now realize, GDPR has and will affect you even if you're not primarily an EU-based organization.
When Amar Kanagaraj, chief marketing officer at FileCloud, said his company had to meet GDPR to serve its European Union customers, it provided GDPR-focused training for its development and operations teams. In particular, it looked at ownership of customer data and contact points with attention to the executor. From the viewpoint of the operations and support team, it focused on the creation and documentation of this process. The company also trained developers and operations staff who handle data.
Embed GDPR requirements in your DevOps toolchain
Organizations need to communicate to all employees that GDPR compliance is everyone's job.
Ott recommended that organizations translate all of the GDPR requirements from their current business format to a technical perspective that developers can execute. Companies can publish these requirements as user stories rather than a traditional document or playbook. The stories can summarize GDPR points and the recommended remediation within your toolchain. For example, one story might cover password changes and be tied to your password management code.
With logic built into your repository, developers can achieve GDPR compliance without deviating from their familiar DevOps practices.
Write custom scripts to support GDPR compliance
Existing security tools, especially those that predate GDPR and other compliance regulations, cannot be blindly applied to the GDPR problem set.
Organizations should find customizable tools and approaches such as infrastructure as code so they can write their own rules customized for GDPR compliance, said Julian Dunn, director of product marketing at Chef Software, the IT automation tool company.
If a company already has advanced security and audit practices, Dunn said it should be able to write the necessary custom scripts to support GDPR compliance. However, he said small startups will still face challenges, mainly because it's unlikely they have a security officer on their team, never mind the tactical people to do that sort of work.
Follow your pipeline to GDPR
If you are a maturing DevOps organization and face the challenge of GDPR compliance, start with an assessment, provide training and then shift security left. Then, downshift on your DevOps culture, toolchain and delivery pipeline. If you can bring it all together, you will be closer to GDPR compliance than a traditional IT shop.