You can "trust" me, I'm "compliant": ... - Adam Duman

all right I'm not really sure if I'm supposed to start right this second but cutting into my time and I have lots to say um so my name is Adam Duman and this is you can trust me I'm compliant seeing as I'm the opening act I do want to really quickly thank b-sides I think it's 13 years and 10 and a half events 11 events something like that uh super super cool to see really really glad to be in the room with everybody today obligatory these are my opinions and not my employers opinions yada yada and then a little bit of background on The Talk this came to me the idea for this came to me while I was attending besides Las Vegas last year really really really good talk from Shane angle and Wendy Knox Everett I want to say it was I'm a little bit fed ramp I'm a little bit sock to enroll something like that it was about kind of the differences between sock 2 fedramp compliance what that looks like how that operates and at the time I was deeply involved in evaluating fedramp and looking at it and feeling all that pain for myself and that got me thinking about how I have spent a lot of time digging through that information through that and they talked about Concepts that made sense to me automatically and you know the classic talk about something you know a bit for a talk so quick question raise your hand for me so I can get a sense of who's in the room right now please if you've been involved in a compliance effort in any way whether it's as a practitioner engineer you've suffered through something I love and hate to see it okay uh how many of you consider yourselves to be GRC first people cool okay and then engineering or technical more focused even better good and then who thinks there or got them one who can do both it's okay to toot your own horn there that's fine that's that's the ideal I think um so we'll jump into a quick little story here right my I see how it is John [Laughter] I know okay so there once was a man named Adam who was running a security and compliance program across the board for a little org in Phoenix Arizona as a baby security analyst and learned this lesson the hard way Ian Coldwater has a lot of wisdom for us and I volunteered for the security analyst role and our CTO looked at me and went Yes sold and I have not regretted that decision but I have lived with that decision ever since I accidentally into security and I think it is a cliche quote but it's very very true and what ended up happening is I'm standing there and I'm just poking away at our internal Network trying to decide is Sumo logic going to work better is logarithm better how are we going to monitor This Cloud hybrid environment and that same CTO wanders over and goes what do you know about sock what sock and he's wearing Jordans and I know he's a bit of a sneakerhead very confused for a moment yeah talk that that you guys the compliance thing sarbanes-oxley sock 2 security like secure organizational controls what are we looking at and he was talking about sock 2 type 2. we had a client who wouldn't move forward until we had sock 2 type 2 ISO 27001 some of that fun stuff and for a company that was regularly skin of our teeth PCI level one adding that kind of stuff in as well was going to be painful it's actually a decent little segue into me lots of alphabet soup it doesn't really matter unless it matters I'm currently working at vanta so that's our little mascot over there ilma I'm a bit biased on this topic because of who I work for and what I do I've spent a lot of time as an engineer and analyst all kinds of other stuff and trying to think of the best way to put it living on both sides of the table gives you a really interesting perspective when you've been assessed that's one kind of pain when you are being assessed that is a different kind of pain and then when you're doing the assessing it's all of it especially if you've sat on both sides I think one of those places that that comes into play the most does turn into the prep for an audit the prep for an assessment assessors are interesting people I know because I am slash was one and it's an interesting Dynamic right if you've been for a lot of people in here have said they've been assessed before so sit down with the assessor whether it's Zoom wherever and that's a give and take that can be really really stressful a lot of times there's a scenario where I need to cover this up I don't need to give this up I don't want to cover this up I need to show this I need to tiptoe around this a little bit and that kind of gets into that trust portion building that relationship with your assessor building that relationship with your internal stakeholders is crucial so why am I talking about all this nonsense right what what's blah blah blah blah I think we're in a scenario right now where you know with devsec and devsec Ops and devsec and platform engineering and driving ever increasing interoperability between apis and Cloud space like the pace of change is increasing every day the battle for zero trust is fighting with the battle for compliance compliance management trust management xdr EDR blah blah blah blah blah those terms are pretty leaky if you think about them for a minute compliance management makes some sense the line between xdr and EDR maybe a little bit more fuzzy and there's we've probably all been subjected to a very very bad sales pitch that's just all buzzwords all soup I want to specifically take a look at compliance automation trust management and what those mean in practice so compliance automation super generic sounding term and it is kind of self-explanatory what it does right you're automating compliance it's fairly well understood fairly well kind of you know I don't want to do stuff by hand for a long long time there was uh you know I'm learning python I'm learning to automate things I don't want to do you know what should I automate next and the response was what are you still doing by hand compliance automation could be automating evidence collection could be automating evidence submission it could mean almost whatever we want right I I there are a couple vendors out there that have a really really well-built portal where you upload evidence they've got all the compliance requirements written in there you upload directly into the portal your assessor can look directly at the evidence accept reject streamline all that all that workflow and in my mind that kind of counts as automation too it doesn't have to be fully automated but the ability to take a more hands-off approach to getting evidence collected handled tested whether we're talking for internal audit external audit prep work being able to pull that and showcase it in an easier way is hugely important trust management is where we start to get a lot more leaky and Squishy and does this really mean anything or what does this mean I gave this talk to my leader to have a look at hey does this make any sense I'm not going to give you the talk but look through my slide deck tell me if this sounds like absolute bunk if this makes sense do you get where I'm going with this and he left a comment on this slide about how he thinks the industry definition is what was it the operational processes of assessing the reliability security and risk of third parties on an ongoing basis for what it's worth I hack that together and I replied with out of curiosity how is that any different than the definition or a reasonable definition of vendor and third-party risk management or even just compliance management that sounds like what we're already doing in his repo his reply verbatim was it sounds more fancier and that's pretty much how I think about the trust management buzzword right it makes sense when you think about it but I I think it's acknowledging a lot of sections that are not traditionally thought of right a lot I know a lot of us definitely me I find myself thinking about Security in a vacuum and it's an infinite black hole when it's a vacuum when you have no other considerations know their needs nor their demands it becomes this never-ending oroboros that just eats its own tail and you're there's always another thing always more happening and trust implies a lot more than just meeting expectations trust implies or should at least uh trust implies that there's there's an element of brand Management in there there's an element and an acknowledgment of Human Relationships reputational management it's a much broader thing than we have our sock 2 type 2 we have fedramp we have ISO 27001 it goes a layer Beyond even third-party vendor management and Dives a lot more into specifically how do organizations work with each other and support each other and what does that ecosystem look like when you don't have to look over your shoulder I'm not personally a big fan of trust but verify I think it's verify and give credit where it's due and I think that's where trust management is going but it really is still kind of a brand new made up term it means what we want it to mean when we wanted to mean it and so okay there are two sides of the same coin right trust management is expanded compliance management kind of I think they are very very similar compliance over time builds trust compliance over time shows that you do the right things it shows that you are at least meeting a certain Baseline it's a really really valuable way of uplifting an organization that may not already be doing the right things that may need that structure to start building on but just from the show of hands earlier I definitely seems like most people in this room have kind of eyes open about what is actually involved in compliance weeks of prep work sometimes months of prep work depending on what you're looking at and a lot of effort to manage and navigate a pretty thorny process a sock 2 report for instance is only valuable if it addresses actual concerns there's a I think it was Wendy Knox ever it talked about this as well but you can get a sock 2 on a napkin if you find an assessor who will do it a bar napkin sitting there here's 10 grand here's my sock 2 language I want to prove that this napkin is secure and that is a legitimate sock too it's written by an Assessor can be signed by a CPA good to go but that probably doesn't actually prove anything about anything but that napkin and sock 2 is a good example of where the trust portion of this really comes into play because it has anybody in here actually read a sock 2 report sat down and read one cover to cover end to end fun good stuff lots of word salad and just it's easy to look at it and have a vendor who says oh yeah we're stock 2 type 2. are our observation window is six months or nine months or 12 months or three months and I've sat down and looked at a sock 2 report and there's this isn't what we're buying from you I'm not buying this product this is on a totally different product this report isn't addressing concerns that I care about because you get to Define your own scope as long as long as your assessor agrees that this is reasonable the language is reasonable their controls are reasonable it's fine do the assessment get the sock too give it to your vendors and your partners and that's a big part of where we start to get again into that weird place where compliances is compliance security is compliance trust management how do they overlap it comes back to the idea that context is everything a sock 2 report that doesn't cover things that I care about as a security practitioner doesn't provide value it doesn't build trust it doesn't show me anything except that this company can achieve a sock 2 report the differences between trust management and compliance management are many I guess we'll say some of the bigger ones are the classic compliances dumb compliance doesn't help compliance doesn't show much because it really does validate minimum effort I know as a qsa there's a world of difference between letter and intent of requirements there's a world of difference between implementation and letter and intent I've seen environments that were extremely secure air gap networks all kinds of stuff but we're not compliant because they weren't doing things in the way that PCI DSS wanted them to significantly more secure but 10 plus compensating controls to demonstrate that you're doing things the right way just because your implementation is better than the Baseline is one of the places where it starts to break down kind of a lot the other thing that makes them very very different is compliance can show that you're doing the right things for the right reasons but it doesn't necessarily mean that you are it means that you're you're doing at least something not necessarily for the right reasons and then you know how many companies have been breached that are compliant with all kinds of stuff right compliance shows you can do some stuff it shows you've made a couple things happen doesn't prove that you're actually trustworthy doesn't prove that you are a company that I want to go into business with that's why we still see security questionnaires that's why we still see all kinds of other organizational processes to make up those differences between where compliance fall short and where we're trying to build that trust with other organizations where we're trying to build that relationship with their security team with their sales team to better understand if we want to engage with them and I think that that you know does that sound trustworthy does just doing the minimum doing what you have to do I do I have to have a pen test for sock 2 no not required should you I should probably get one that's kind of helpful for a lot of other vulnerability management work I don't have to and that's that's an interesting thing to come out and bite you if you're working with a company oh yeah we have the stock two type two here you go do you have a pen test report no we didn't do that we don't have to hmm maybe you can't afford it maybe this maybe that lots of reasons but that tells me something as a partner about skin in the game about buy-in about desire to demonstrate Trust so most people in here have been through some form of compliance effort right the status quo for those of you who don't is pain it's spreadsheets emails weekly calls massive document request lists I think when I was an active qsa I've had a tracking sheet that I ran out of excel because that's how it still works and a lot of a lot of places that for some assessments is over 1400 rows long with statuses and all kinds of different like I need this I don't need that rewriting the request for evidence based on the customer's environment and when I would send that to customers these are usually very large organizations with pretty robust GRC teams and good compliance management and all that but it's still not fun to receive that kind of an email hey I uploaded the tracker to our secure portal please go download it and have a look that's a great experience that feels wonderful when you're starting an assessment download it open it up oh crap there's a lot in here this is gonna suck and this goes back to taking on that security analyst role after a few weeks of rummaging around buying ISO 27001 and 27 0002 and reading through them and starting to kind of map out what we're already doing what we're not doing what it looks like how to do it how not to do it does this overlap with PCI finding all kinds of other places and resources it dawned on me that oh our annual PCI assessment is coming up again I need to start double checking all that evidence and figuring all that out pulled the report from last year pulled all that went and started looking at evidence pulling stuff double checking yes ASV scans are running all that good stuff is still happening qsa shows up we start the engagement and it's right back to weekly phone calls on-site assessment this that here's your spreadsheet here's all your other stuff and as a qsa the same kind of thing I know I've got this engagement coming up I know I have all this work coming up balance it all across multiple clients multiple environments remember what environment is doing what based on last year this year constant spreadsheet updating jumping between different Tech stacks and I never felt good having been assessed before it always felt really bad to send somebody a spreadsheet that I knew I didn't like that I knew I found clunky and painful and really really obnoxious and go I'm proud of this here's my work product that didn't feel good for me so on top of all this spreadsheet passing back and forth and screenshotting and pulling reports running scripts to get configuration out of Windows Linux all kinds of stuff your assessor auditor also gets a vote on your compliance and your trust right right we don't decide that unless you're doing a self attestation and this is not a comprehensive list obviously there's a lot more that goes into it than just four things that feed into two things that feed into your report or your certificate but this is where having that relationship that ongoing relationship is important because on top of you knowing what's going on internally your assessor gets to say you get a say your stakeholder is going to say there's so much happening it's not like a Thai stage right this is totally not an important thing for the company customer is also going to say internal and external security is going to want probably more than what compliance strictly requires sales teams are going to be annoyed that they have to log into the demo environment MFA right super reasonable I think most of us would agree that MFA is probably a good thing to do it's well understood I'm not going to get into whether SMS MFA is better or worse whatever that but just adding MFA in front of a sales environment can cause a lot of friction but that's required for a lot of different compliance standards developers are going to want to move fast and break things screw change management screw this I want to build it and ship it and we want continuous release how do we manage unit testing how do we manage all the other elements that go into that without introducing additional friction so there's that push-pull as well there is some hope though right it's it's a bleak landscape but it's getting better the days of spreadsheets are starting to go away I mentioned earlier I work for one of them but there are several players in the field that are doing compliance automation trust management designing platforms that make this easier for assessors companies individuals and I'm not going to dive into which one is best and which is worse and exactly what that looks like but there are some cool ways to start doing this yourself without having to go buy from somebody at the end of the day the cloud might be someone else's computer but for our purposes the cloud is a series of interconnected apis and we can interrogate those apis to get information it's harder if you're on-prem primarily but ansible there's tooling out there that can really help with that but we start with the fundamentals they're fundamental for a reason identify your business objectives if you're trying to drive a compliance initiative that nobody cares about because it's not helping to close deals it's not helping to improve nobody the business doesn't care about it it's going to be an uphill in the snow both ways effort take a risk-based approach all compliance is risk-based at the end of the day as an Assessor I've seen some stuff that is sketchy dubious shall we say but it's based on risk tolerance it's based on organizational need and I don't get to dictate what that is I dictate do I think this control meets this intent this letter this requirement I don't get to tell you how to handle your own businesses risk spending time with your stakeholders again to design a control ecosystem that works that isn't introducing too much friction that isn't over engineered