The role of Enterprise Architects (EA) has evolved in the wake of cloud-native computing and software as a service, and other modern IT constructs like microservices, event driven architectures, artificial intelligence (AI) tooling, and distributed edge. Because they are complex by nature, these modern systems make compliance a significant undertaking for organizations in highly regulated industries. That means that today’s EA must not only make decisions that impact infrastructure—including what to modernize and how—but also need to define business objectives and ensure systems comply with industry and government guidelines. In his article Making Compliance a Feature, Rather than Friction, our colleague Bryan Ross puts it like this:
Compliance teams have a difficult job. They must ensure that their organization is following its agreed-upon processes regarding internal strategy or policy, as well as any laws, regulations, and contractual obligations that might affect their industry. It’s impossible for them to watch everyone all the time, so the burden is often put upon developers to produce documentation or other artifacts that show they’ve followed the rules. Meanwhile, development teams are under pressure to work more efficiently, delivering new capabilities to customers as quickly as possible.
Enter the Modern Compliance Architect (MCA)
A Tanzu Labs Modern Compliance Architect (MCA) can be many things, but their main goal is to enable customers—whether they are external clients, internal engineering teams, developers, or other architects—to adopt and deploy tools and practices that help them adhere to regulatory and industry requirements. A MCA helps to supercharge your software development and delivery process while enforcing governance and policy at the right place and the right time for minimal disruption. This makes security an integral part of the application delivery process rather than a blocker.
Before we discuss how to define the right place and right time, let’s understand why this is important and why we need to make policy enforcement invisible to developers. Mainly it’s to maintain developer flow while, more importantly, enabling you to integrate security into your systems so they can be continuously secured, optimized, and accredited.
Awareness: The first step to action
To define the right place and the right time you need to know when and where to apply governance and policy enforcement. To get there, we start with these questions:
- What type of authorization are you seeking?
- Does your system have any current accreditations?
- What protected data types will your application/environment contain?
- What documents/artifacts would you like support?
- Where is software delivery stalled due to non-compliance?
Before addressing any problem or risk we must first be aware of its existence. Treating the discovery stage as part of the architecture process is critical to understanding what needs attention. This is particularly true when it comes to security and compliance in today’s modern computing and distributed environments.
Your MCA serves as a cybersecurity and compliance expert who is part of a balanced team and can help you meet specific compliance outcomes. A MCA pairs with customers to outline best practices and provide artifacts to help you submit or renew your accreditation. In essence MCAs help establish confidentiality; integrity, and availability (CIA). The CIA Triad is a guiding model that forms the basis for security outcomes within a system. A comprehensive security strategy includes policies and security controls that minimize threats to these domains.
Unique aspects of a modern architecture that fall in the MCA purview include:
- Risk Management Frameworks (RMF)—MCA’s are knowledgeable and skilled in various risk management frameworks, including NIST, FISMA, and FEDRAMP to name a few.
- Identifying and prioritizing risks—This includes areas where security bottlenecks may exist in the Software Development Life Cycle (SDLC,) identifying opportunities to shift security earlier in the SDLC, and de-risking the highest risk items first.
- Policy creation and enforcement—Writing good security and access policies and identifying the best places to enforce.
- Domain knowledge—Understanding industry-specific guidelines and requirements (e.g. HIPPA, PCI, etc.) and modern architectural paradigms, such as, microservices, event-driven, edge, distributed cloud, etc.
- Practical experience—Areas include preparation, categorization, access control, data handling, governance, and enforcement.
Applying MCA principles to your SECURE architecture
While ideally you have a MCA involved as you are building the system, it can also be applied to existing architectures. For example, Bryan Ross calls makes the case for shifting security left in Securing Your Environment with Tools Before Rules:
Development teams need to create more secure code, and solving security vulnerabilities early in the process is more cost effective than after an application has been deployed to production.
MCAs also enable internal teams to create and develop updated and new products and services to ensure that they are in compliance and are following regulatory guidelines. An example might include federal requirements to ship a Software Bill of Materials (SBOM) with any software or hardware used in highly regulated industries. A MCA is a trusted resource that can help your teams create products that meet compliance and security requirements.
If you cannot bring in a MCA full time, you can apply MCA thinking into the EA role by working with MCAs coming out of Tanzu Labs.
Through hundreds of engagements with highly regulated companies, the Tanzu Labs MCA practice has enabled clients to:
- Translate RMF requirements into modern security solutions
- Combine risk management tenets with Agile workflows to increase efficiency and continuous security
- Increase knowledge about security concepts through facilitated workshops
- Achieve Authorization to Operate (ATO) more quickly (and repeatedly)
- Increase developer velocity while maintaining a compliant security posture
- Create and document simplified processes for adopting DevSecOps ATO and Continuous RMF environments
If you would like to learn more about enabling better security practices and outcomes, and more about Tanzu, check out these additional resources:
Understanding Authorization to Operate (explainer video)
GET SLSA Level 3-Compliant Open Source Software
Demystifying SBOMs (explainer video)
PCI Best Practices for Containers (whitepaper)
