How to Make Compliance More Efficient and Scalable Through Automation

Intuit has architected an Automated Compliance Platform that has reduced audit timelines from up to six months to less than 2 weeks. Read on to learn how!

Security compliance is mission-critical and resource intensive. Depending on the type of information your organization handles, it could be subject to any number of ever-evolving cybersecurity frameworks. Managing compliance with those frameworks becomes increasingly challenging as requirements evolve and the number of resources in need of monitoring grows.

At Intuit, we serve more than 100 million consumer and small business customers around the world with TurboTax, Credit Karma, QuickBooks, and Mailchimp. Keeping personal and financial information safe and secure is a 24/7/365 concern for us. Intuit needs to adhere to multiple compliance frameworks such as PCI-DSS, NIST 800–53, and ISO 27001.

When Intuit began to migrate large workloads to the cloud, the number of resources we needed to manage grew substantially. Unlike physical devices, cloud resources change constantly, making them more difficult to monitor. To maintain compliance efficiently at scale, it quickly became evident that we needed to automate the process.

To ensure our solution would be as comprehensive as possible, we set three overarching objectives:

• Reduce audit timelines and audit fatigue
• Make compliance more consistent and continuous
• Effectively manage remediation

In 2019, Intuit began developing the Automated Compliance Platform (ACP). As we worked toward our objectives, our efforts focused on five primary capabilities:

• Providing context with results to help shape our reporting and response capabilities
• Coordinating control and framework mapping to incorporate multiple standards efficiently
• Automating control evaluation and evidence collection to reduce audit time
• Providing custom dashboards and reports to get the correct information to the right people at the right time
• Managing remediation and exceptions to ensure any issues identified can be resolved appropriately

The platform architecture combines a variety of resources, from information sources to data processing and storage:

• Content management defines the control objectives and maps to compliance frameworks
• Providers send control evaluation findings and evidence
• Integration and processing consolidate control evaluation findings and performs additional processing
• Storage stores findings and evidence
• Presentation for end users

Context is key

Before you can act on the information in a compliance audit, you need to know who’s responsible for dealing with the issue. Context is a foundational component of an automated compliance platform. It makes all the other capabilities possible.

For any given resource, it is critical to know what application it supports and who in the organization is responsible for managing that application. The more accounts or applications an organization has, the more valuable this information becomes for the efficient remediation of issues. Examples of application and organizational context include:

• The name of the application
• Whether it is a production application or under development
• What team manages this application and their contact information
• What business unit this application is associated with

Enriching data across the platform with this type of context helps produce targeted actions and insights. Attributing cloud resources:

• To people — allows you to route remediation tickets to the appropriate team and navigate the management structure for escalations.
• To applications and their metadata — provides stakeholders with meaningful metrics and dashboards.

In ACP, we added context with the following high-level steps:

1. Tagging cloud resources with an associated asset ID.
2. Enriching control evaluation findings and evidence with application and organizational metadata.

Map controls and frameworks to manage overlap

Compliance frameworks and your internal policies and standards likely have common, overlapping controls. Instead of driving control adoption within each framework, you can generate common objectives that meet the criteria for multiple controls across compliance frameworks.

For example, one control in one framework may require passwords to be eight characters, while a similar control in a different framework may require 10 characters. By creating a common objective control of the most stringent requirement — in this case, a length of 10 characters — this common objective will satisfy controls across multiple compliance frameworks.

At Intuit, we developed a common control-to-framework mapping structure managed in source control. This structure makes it easy for us to add new controls or update existing controls. It also allows us to map controls to multiple compliance frameworks or multiple versions of those frameworks.

Automate control evaluation and evidence collection

Automatic audit functionality is a game-changer. In the past, it could take auditors up to six months to collect evidence for a compliance audit. With automated control evaluation and evidence collection, that process takes less than 2 weeks. Here are a few definitions:

• Automated control evaluation — The typical pass/fail finding from Cloud Security Posture Management (CSPM) tools like AWS Security Hub. Control evaluation findings indicate whether a resource is in compliance.
• Evidence collection — The raw configuration data indicating proof that something passed or failed a control evaluation. This information provides detailed documentation behind audit findings.
• Provider — A team that develops and sends automated control evaluation and evidence to ACP.

The key metrics we track are automated control evaluation coverage and evidence collection coverage. The more automation we employ, the less time is required to manually evaluate and collect evidence, resulting in shorter audit timelines.

Over the years, Intuit has established a large internal provider community to automate control evaluation and close evidence collection gaps. We took a decentralized approach in which development teams closest to the controls and underlying technology develop the automation with some central oversight. For example, the corporate network team develops automation for corporate network device controls. The internal provider teams contributed to the control evaluation and evidence collection for hundreds of compliance controls.

Produce dashboards and reports

Once you’ve automated control evaluation and evidence collection, you need to get audit results to the right stakeholders so they can remediate issues. Those stakeholders will differ from one organization to another. The key is to understand who needs visibility into the process so you achieve appropriate oversight.

Intuit defined three primary stakeholders of ACP:

1. The internal compliance community, which sees the big picture and is the primary driver for ACP features
2. Developers, who can access the resources to remediate issues
3. Managers, who need to be aware of their teams’ compliance posture

Each persona requires different features and dashboards to provide the insights most relevant to them:

• The Internal compliance community prefers to see data using native compliance control statements and identifiers. Internal compliance also requires a high-level posture for a given compliance framework to help teams prepare for an audit. As a result, we developed custom dashboards with these features.
• Developers spend a good deal of time inside Intuit’s Devportal, a central location where developers create and configure their applications. As a result, when a developer goes to our internal Devportal site, they receive a focused and personalized compliance view.
• Managers need an overview of the actions their teams need to take and their compliance posture. As a result, we developed two dashboards for managers:
• Ticketing Dashboard, which provides visibility for all the compliance tickets their teams need to remediate.
• Score metric, which includes all the control evaluation findings for everything their team manages and some additional data to produce an overall score. This score provides a quick metric for a team’s overall compliance posture.

Remediate issues and manage exceptions

The whole point of a compliance audit is to ensure compliance with a given framework. Remediation may be necessary. It’s also important to manage exceptions with compensating controls so that they don’t get flagged over and over again, hurting the signal-to-noise ratio.

We have a preferential order for various forms of remediation.

1. Code enforcement — Prevent non-compliant or vulnerable code from being merged in source control.
2. Deployment enforcement — Prevent deployment of non-compliant code to runtime.
3. Fully automated remediation — Completely automated remediation with no developer interaction at all.
4. Manually triggered auto-remediation — Provide a “Fix It” button after the developer validates that there will be no impact.
5. Remediation document — Provide developers with manual step-by-step remediation instructions.

Non-compliant issues found at runtime are issued remediation tickets. Thanks to our enriched context, we are able to route tickets to the appropriate teams efficiently.

Exception management is a foundational component of all forms of remediation. Intuit developed an exception service workflow to review exception requests for approval to ensure each exception is appropriate and that compensating controls are in place.

Automated compliance is an evolving journey

Managing compliance at scale can be a time-consuming and challenging endeavor. However, by making engineering investments in automation and customized capabilities for the relevant stakeholders within your organization, you can greatly reduce the compliance burden for your entire organization.

Learn more about ACP by watching AWS re:Inforce 2023 presentation Centralizing security at scale w/ Security Hub & Intuit’s experience

We’re continually developing and adding new features to ACP. Stay tuned here for future blogs documenting our journey.