Why Does It Matter?
When we talk about a regulated workload, we talk about compliance. These compliances are industry standards that govern how data is processed, stored, and managed. That is why these workloads need to be clean and should be assessed based on controls we can prove. Examples of such practices are Least-Privilege access, encryption at rest, clear network boundaries, and auditability, to name a few.
And then we have frameworks like NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations. It provides a comprehensive set of security and privacy controls, and then we have CIS Foundations Benchmarks that translate security best practices into cloud-specific configuration checks. But none of them are enforced by themselves. But if you configure your pipeline in such a way, it can then be enforced.
Read the original article: