Ever since personal information started flowing into applications on the web, securing that information has become more and more important. General security and privacy frameworks like ISO-27001 and PCI provide guidance in securing systems. Now the law has gotten involved with the European Union’s GDPR and California’s CPRA. More laws are on the way, and these laws (and the frameworks) are changing as they meet legal challenges. With the legal landscape for privacy shifting so much, every engineer must ask: How do I keep my application in compliance?
On this sponsored episode of the podcast, we talk with Rob Picard and Matt Cooper of Vanta, who get that question every day. Their company makes security monitoring software that helps companies get into compliance quickly. We spoke about the shifting sands of privacy rules and regulations, tracking data flows through systems and across corporate borders, and how security automation can put up guardrails instead of gates.
Many security frameworks are undergoing modernization to reflect the way that distributed applications function today. And more countries and US states are passing their own privacy regulations. The privacy space is surprisingly dynamic, forcing companies to keep track of these frequent changes to stay current and compliant. Not everyone has in-house legal experts to follow the daily developments and communicate those to the engineering team.
For an engineering team just trying to understand the effort involved, it may be helpful to start figuring out where your data flows. Tracking it between internal services may be overkill; instead, track it across corporate boundaries, from one database, cloud provider, SaaS system, and dependency. Each of those should have their own data privacy agreement—plug into your procurement process to see what each piece of your stack promises on a privacy level.
Your DevOps and DevSecOps teams will probably want to automate much of the security engineering process as possible. Unfortunately, automating security is hard. The best path may not be to automate the defenses on your system; it might be better to instead automate the context that you provide to engineers. If someone wants to add a dependency, pop up a reminder that these dependencies can be fickle. Automate the boring stuff—context, reminders, to-dos—and let humans do the complex problem solving we’re so good at.
If you’re looking to add an in-house security expert as a service, check out Vanta.com. Their platform monitors connects to your systems and helps you prep for compliance with one or more security frameworks. If those frameworks change, you don’t need to do anything. Vanta changes for you.