4 Governance, Compliance and Trust
This chapter covers
- The layers of Governance, Compliance, and Trust
- Compliance at the point of change
- Policy as Code
- The Software Supply Chain
- Identities in the Engineering Platform
One of the mistakes we’ll often see made is the assumption that engineering platforms come with developer freedom automatically. That by simply building or buying a platform, the platform's users are immediately unblocked and free to deploy new software into production.
The reality is quite different. Each area of delivering software still requires strict adherence to the domains of compliance, audit, security, and data. Teams like Infosec, Security, Infra, Audit, and Governance are not going to disappear.
Each of them has different requirements. Consider for example the following:
- Our security team requires that there are no exploitable vulnerabilities rated “CRITICAL” deployed to production.
- The audit team wants evidence of every deployment logged into an immutable datastore to meet SOX compliance.
- Infosec has stated they need to enforce the use of Authz policies on sensitive dataset apis, to ensure only authorized users have access.
These requirements are similar to ones you would find in any environment. But if we hand the keys to each of these teams for enforcement, we will return to creating roadblocks and friction for our developers, going against the goals of our engineering platform.