In mathematics, the proof is an established style of argument designed to show that a statement is true. In compliance and audit circles the equivalent of “true” is when a control is operating effectively and validated using appropriate evidence. Despite recent years of progress in developer efficiency and feature flow, the style of argument used to demonstrate control often still resembles spreadsheets, screen shots and live observations of operators.

In a DevOps world, practices like continuous deployment and infrastructure automation actually implement key controls. Asking engineering teams to perform manual tasks required for control artifacts creates friction that often stops DevOps culture shifts before they gets off the ground.

This talk focuses on the last mile of demonstrating security and compliance in enterprises embracing DevOps: proving that you control risk without resorting to legacy control attestation. Based on thousands of engagements with global and Fortune 1000 companies migrating workloads to AWS, this talk tells the stories of highly-successful enterprises trying to demonstrate security and compliance in a cloud and DevOps world.

This talk showcases the following areas:

-Identifying blockers and friction – reasons current compliance and audit reporting practices in regulated enterprises can slow transitions to the cloud and DevOps practices.

-Partnership – Organizational behaviors and leadership moves that help overcome objections to the automation of security controls typical of DevOps delivery models.

-Control Design – Examples of how to translate compliance requirements into engineering specs that work in an environment built on automation.

-Control Evidence – Proofs! Patterns used by highly regulated companies to automate evidence and artifact gathering.