Navigating GRC in the Cloud-Native Era: Modernizing Applications for Compliance and Resilience

By

As organizations adopt cloud-native technologies to maintain agility and scalability, the importance of Governance, Risk Management and Compliance (GRC) has become increasingly vital.

This article explores the challenges and solutions around modernizing applications to meet cloud security and compliance requirements, automating GRC controls and enhancing incident response in a cloud-native environment. We’ll also focus on leveraging industry benchmarks like the Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG). The primary objective for organizations is to achieve a good balance between agility and compliance. Let us explore balancing speed and compliance to suit our fast-paced world.

What Is GRC Compliance in a Cloud-Native World and What Are the Challenges?

Compliance in the cloud-native world involves adhering to various external regulatory frameworks such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). Each framework has specific requirements that organizations must meet, often focusing on data protection, privacy and security. Compliance also means adhering to internal policies and standards like information security and IT policies, internal data protection privacy policies and internal risk management policies. The dynamic nature of cloud-native environments is what makes compliance challenging. Some factors that contribute to the challenge are:

  • Sharing cloud security and compliance responsibilities between provider and application developer. While cloud providers provide inbuilt mechanisms to maintain infrastructure security, organizations have a substantial, if not equal, responsibility to maintain application and data security.

  • Changing ecosystems (due to the proliferation of microservices and container orchestration) and rapid deployment cycles make tracking data flow difficult, making it hard to verify that they adhere to regulations.

  • Managing data residency through different layers and geographic regions adds additional complexity that must be addressed.

  • Addressing cloud resource misconfigurations that can lead to exposure without automation makes it difficult to achieve continuous compliance.

  • Verifying that third-party services are covered places additional strain on teams as their usage has become an integral part of the application stack.

  • Servicing manual requests from internal auditors and external regulators leads to overworked teams.

  • Providing data visibility based on the roles is a struggle when working toward compliance with internal policies.

Incident Response in a Cloud-Native Landscape

Robust incident response is critical to building a resilient cloud-native ecosystem. While some incidents only impact cloud environments—security breaches, compliance violations and operational incidents threaten any environment. While those common incidents apply to non-cloud-native landscapes, managing these incidents in a cloud-native environment is challenging for the following reasons:

  • Lacking visibility across cloud environments and services

  • Complex setups stemming from distributed setups

  • Ineffective incident sourcing and response due to frequent updates and changes

Some success metrics of an incident response system could include a reduction in the mean time to detect (MTTD), mean time to respond (MTTR), mean time to recover/resolve (MTTR), incident volume, incident impact and financial impact.

Compliant and Resilient Application Modernization Framework (CEA)

Maintaining compliance is a non-negotiable step in the application modernization journey. Designing a modernization framework focused on resilience and compliance will yield results in the organization’s favor. The CEA framework is one of the most verifiable and time-tested frameworks for modernization and consists of three essential pillars: Codify, Embed and Automate.

Codification

  1. Codify human-readable policies: If coded, human-readable policies can help developers and non-technical teams like compliance teams and auditors (internal and external) stay on the same page. This can be accomplished by using some of the following best practices:
    a. Selecting a language like YAML, which is machine readable while still understandable
    b. Using domain-specific language
    c. Implementing reusable templates and modular policies to reduce the effort required to codify human-readable policies

  2. Human and machine-auditable outputs: When compliance scans’ outputs are human and machine-auditable, remediations or waivers can be requested easily.

  3. Codify configurations: Misconfigurations can be avoided using currently available configuration management tools. Configuration management tools use infrastructure as code principles to maintain idempotency and consistency.

  4. Codify compliance scans: Organizations can use industry benchmarks to maintain compliance across the stack without compromising agility. These benchmarks can be codified and used to scan the complete stack. Some common benchmarks for which compliance scans are already codified are:
    a. CIS benchmarks: These provide best practices for securing various technologies, including cloud services and containerized environments. CIS benchmarks for specific cloud providers (e.g., AWS, Azure, Google Cloud) offer tailored recommendations to help organizations configure their environments securely.
    b.     DISA STIGs: These guides offer detailed instructions for securely configuring systems and applications, including those in cloud-native environments. STIGs help organizations reinforce security best practices to mitigate vulnerabilities and achieve compliance, particularly in government and defense sectors.

  5. Codify remediation: Automated remediation can be accomplished using the remediation content available from the industry standards like CIS and DISA STIG, discussed above. This content can be codified and used to remediate compliance issues in an automated manner.

Embedding

  1. Continuous compliance scans: Codified scans and configurations can be part of the CI/CD pipelines to maintain continuous compliance. Any minor or major change in the stack or code could identify compliance issues as part of these pipelines, resulting in continuous compliance. We can achieve the ideal state of “shifting security left.” As a result, security is integrated into the development process from the onset and not left as an afterthought.

  2. Continuous incident remediation: Using the remediation codes in the automation pipelines, one can remediate the incident and minimize the MTTR, resulting in almost zero impact from the incident. This procedure can also be used to handle some categories of zero-day issues.

Automation

  1. Automated auditing and evidence collection: Compliance audits with policies and evidence collection can be automated with the help of human and machine-readable policies. The ability to orchestrate multiple actions into a workflow would also make the system more efficient and intelligent. This approach significantly reduces the manual effort involved in auditing and evidence collection. Considering the variety of internal and external compliance requirements, automating the auditing and evidence collection is the need of the hour.

  2. Automated alerting: Some detected anomalies could require alerts to certain users based on criticality or impact. An automation platform can orchestrate this to deliver the right alerts to the right users over the right channels. This provides actionable alerting and reduces alert fatigue.

  3. Automated remediation: Automated remediation could be orchestrated based on the vulnerability detected and the availability of codified remediation. This could help reduce the MTTR.

Conclusion

Modernizing applications to be agile in a cloud-native ecosystem must factor in compliance and resilience from day one. If ignored initially, the agility of the application will be deeply affected. Using the CEA framework, compliance and incident response can be robust with fewer risks and shorter turnaround times. Utilizing frameworks like CIS benchmarks and DISA STIGs strengthens security practices while adhering to regulatory requirements. Including this in the CI/CD pipelines, along with orchestrated remediation or alerting, is the path mature organizations should take. If you want to share your experiences with GRC and compliance in cloud-native environments, please feel free to add a comment or drop a note to aditya.v@progress.com

To understand how the Progress Chef solution enables continuous compliance, please visit us here.

Posted in:
Tags:
Chef ComplianceChef InSpecCompliancecontinuous complianceGRC

Aditya V

Aditya V is currently working as a principal product manager at Progress. He is the head of the product team for the compliance and configuration management space at Progress Chef. Over the past eight years, he has worked on multiple B2B products in the capacity of a product manager spanning across predominantly oil and gas, and healthcare. During this time, he has guided teams to build platform capabilities like search, communication, and querying service to support scale without compromising quality. Outside of work, he loves to play racquet games. Currently, he is training squash during the weekends.

 

Categories

INTERNET US

Company
Using Chef
Legal
Connect with us
Contact Us

Chef is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity