Ana Sirvent, AWS practice lead at KPMG UK, shared her experience at QCon London on how to work with public cloud on heavily regulated organizations. Sirvent explained how to build trust with security, compliance, and client risk teams while delivering quickly and leveraging cloud services.
Sirvent started her talk with the example of a cloud adoption journey in a regulated organization.
After a team starts a greenfield or innovative project, more teams with different skill levels onboard. However, there is always a point in time when an organization realizes, often traumatically, that the current way of managing the cloud is not sustainable. The so-called unsustainability trigger is followed by urgent critical fixes and a path to governance and compliance. Sirvent explained:
If you work in a regulated environment, you have to deal with the three lines of defense: business, risk management/compliance, and internal audit, with the first two being the more challenging ones, with a lot of resistance to change.
KPMG UK started its journey to the cloud in 2016 with the first project on AWS and now has over 270 cloud engineers, over 360 projects, and 2500 workloads on the three major providers. She added:
On the positive side, working in a regulated environment, you will have direct collaboration with regulatory experts and once you understand the intent behind the control, it speeds up the journey.
Gathering your system's relevant data and having a centralized view are also critical tasks. KPMG UK relies on a centralized AWS account for compliance: the deployment is entirely serverless, using the AWS Serverless Application Model, and KENNA security is used for vulnerability management.
With the goal of 100% security unachievable, establishing a "good enough" compliance level is the next step. For example, the cloud teams in KPMG need to achieve specific targets: 95% on patching, 90% on antimalware, 90% on vulnerabilities, but 100% on the AWS config rules. A config rule might be for example "no public S3 buckets" and must always be met, differently from best practices. Falling behind on these goals requires the team to join a weekly security call to assess the situation and take remediations.
While reminding the audience that the biggest factor for good security practices is not technical but rather cultural, Sirvent highlighted the four key aspects to improving production deployments: empowering teams, being well-architected, taking responsibility for your code, and automation. She closed the presentation by suggesting organizations should follow "paved paths" as much as possible:
If there is an easy route to security compliance, engineers will take it.
She recommended the use of golden AMIs, CI/CD pipelines, centralized Terraform modules, and providing an open developer platform, with self-service templated services for software engineers.