When the technology industry is not inventing new gadgets, it is inventing new words, such as, next-generation firewall. This contrived word ultimately reshaped an entire market segment.
The newest word on the market is Compliance Automation. Which is near and dear to me since Anitian makes the only Security Compliance Automation (CA) product in the market (our FedRAMP product.) Seeing as how we are the first company to release product in this space, we are going to define the word.
So what is Compliance Automation? Well, let’s start with what Compliance Automation is NOT.
Compliance Automation is NOT…
- a Professional Services engagement
- a GRC tool
- a host-hardening tool
- a configuration management tool
Compliance automation is a cloud security platform. It is an architecture that delivers and accelerated compliance ready environment. A Compliance Automation platform has three primary components:
- Controls: endpoint security, SIEM, vulnerability scanners, etc.
- Configurations: pushing security policies, OS hardening, etc.
- Automation: code that deploys and configures all the controls to meet compliance requirements
In short, a CA platform is a compliance infrastructure that is pre-configured to meet the specific requirements for standards such as FedRAMP, PCI, ISO/GDPR, etc.
In contrast, GRC tools merely tell you what to do (and create a massive amount of work in the process.) Professional services engagements may result in a compliance ready environment, but they are one-off creations that are not automated. Also, professional services engagements place heavy resource demands on internal teams (especially developers) and take a long time to complete.
But the most important feature is automation. A CA platform must automate the deployment, configuration, and monitoring of compliant workloads and required controls. This is the whole point of automation, to create a reliable, repeatable process to build, size, and rebuild environments. Realistically, this can only be done in the cloud.
GRC tools are not capable of automating the build and configuration of environments, and therefore are not even comparable to CA. Likewise, security orchestration tools, like Phantom or Demisto, also lack this ability. They focus on scripting existing security controls and plugging into other processes.
The key value proposition for CA is speed and reliability. CA eliminates the guess work, complexity, and misery of compliance. Rather than build custom, one-off environments that are fragile and require constant care and feeding, CA platforms are built on proven reference architectures, that can be replicated quickly. This dramatically reduces the time internal staff must spend on compliance. And as we all know, time is money. CA reduces a organization’s time to money.
Compliance Automation is new. Anitian is excited to be a pioneer in this emerging technology (and we invented the word as well.) We believe that CA is not only a model for compliance, but for all aspects of information security. When security and compliance are an integral part of the code, then its no longer an option. The misery of lengthy audits and arguments over security controls become silenced. Security and compliance become enabled, by default and by design.