►
From YouTube: Compliance Group Roadmap Discussion
Description
Public Mural board: https://app.mural.co/t/gitlab2474/m/gitlab2474/1578411704319/125028f23f8400bba1d2c08290a459a970a2abf9
Slides: https://docs.google.com/presentation/d/1DY6q6D0_gJ5e6fp47DTy46824PXVaNvQa7C76uM63M8/edit?usp=sharing
Compliance Controls Epic: https://gitlab.com/groups/gitlab-org/-/epics/2423
A
Hey
everyone
thanks
a
lot
for
joining
us
for
this
conversation
in
compliance
and
get
lab.
I'm
Jeremy
Watson
I'm
a
product
manager
get
lab
working
on
the
manage
stage
of
the
DevOps
lifecycle
I'm
here
with
Daniel
Mora
and
Matt
Gonzalez,
to
talk
a
little
bit
more
about
compliance
to
get
lab
our
vision
direction
where
we're
going
dan
and
Matt
do
want
to
quickly
introduce
yourselves
sure.
C
A
Thanks
guys
appreciate
that
so
Matt
I
think
we're
here
today
to
talk
a
little
bit
about.
You
know
our
direction
as
far
as
compliance
goes.
It's
a
really
interesting
problem.
Space
I
know,
you've
been
thinking
about
it
a
lot,
and
we
have
a
lot
of
exciting
things
that
we're
working
on
here
at
Q
lab
love.
To
turn
over
to
you,
we
can
hopefully
share
some
information
with
our
audience
about
where
we're
going,
yeah.
B
Sounds
good,
so
let
me
share
my
screen
and
I
think
where
I'm
gonna
start
first
is
walking
us
through
this
mural
board
too,
because
I
think
what
really
helps
me
as
a
visualize
everything
and
so
the
way
that
I'm
currently
thinking
about
compliance
within
gitlab.
Is
you
have
this
overarching
theme
of
frameworks
right
so
every
organization
every
business
operates
within
an
industry
and
those
or
multiple
industries
and
those
industries
are
regulated
in
some
way.
B
The
common
frameworks
people
hear
about
are
things
like
sarbanes-oxley
for
the
financial
sector
socked
to
for
just
kind
of
industry,
agnostic,
a
general
data
security,
best
practice
framework
gdpr
for
privacy
regulation
that
originated
in
the
European
Union,
and
so
we
have
all
these
competing
frameworks.
But
a
lot
of
these
underlying
fundamental
similarities
such
as
you
know,
segregation
of
duties
and
making
sure
that
there's
password
management
policies
and
managing
access
within
the
application
or
the
environment
or
system
that
you're
using,
and
so
these
frameworks
create
this
broad
high-level
scope.
B
And
so,
within
the
frameworks
we
have
requirements,
the
frameworks
define
what
rules
need
to
be
followed
for
an
organization
to
be
compliant
with
their
regulation
or
the
the
legal
or
regulatory
framework,
and
so
that
manifests
to
me
as
compliance
controls.
Compliance
controls
are
the
the
controls
or
the
rules
that
exist
either
at
the
company
level.
Well,
I
guess
that's
at
the
organizational
level,
but
inspired
by
or
motivated
by,
the
frame,
the
compliance
frameworks
themselves.
B
So
if
a
compliance
framework
says,
you
have
to
have
a
separation
of
duties
between
the
changes
that
are
made
made
to
your
code
and
that
code
being
approved
to
make
it
under
your
production
environment.
Well,
then,
you
have
to
have
controls
in
place
that
ensure
you're
following
that
procedure,
and
so
within
frameworks,
the
frameworks
concept.
We
have
these
compliance
controls
and
that
manifests
as
things
like
merge
request
approvals.
Do
we
have
a
policy
in
place
for
the
various
scanning
that
might
take
place,
for
the
code
are
trying
to
push?
B
Do
we
have
external
systems
that
need
to
connect
with
get
lab
that
we're
calling
out
to
four
separate
in-house
policies?
Do
we
have
password
management?
Those
types
of
controls,
another
element
to
compliance,
is,
what's
called
non-repudiation.
The
idea
that
no
individual
can
deny
that
they
took
some
action,
and
so
that
manifests
for
us
as
audit
events.
So
the
audit
events
feature
or
component
of
gitlab
should
be
able
to
answer
any
question
about
who
did
what?
When
did
they
do
it?
B
In
what
system
did
the
change
occur
and
right
now,
the
focus
is
making
sure
that
our
audit
events
are
very
granular,
because
if,
if
there's
any
gap,
if
there's
a
question,
you
can't
answer
whether
it's
an
internal
or
external
auditor
that
creates
a
gap.
That
gap
then
creates
more
work
for
the
organization
and
the
day
to
day
users
of
gitlab,
because
you
have
to
then
have
what's
called
compensating
controls
if
there
is
no
formal
control
or
if
there's
just
a
gap,
it's
out
of
your
control,
such
as
with
a
service
you're
using
like
git
lab.
B
You
have
to
still
be
able
to
find
that
data,
and
so
audit
events
is
we're
trying
to
answer
the
questions
like
who
took
what
action.
What
action
did
they
take?
Was
that
action
compliant
and
was
it
authorized?
And
so
these
are
the
goals
we're
trying
to
achieve
in
terms
of
audit
events
and
then
finally,
we
have
the
reporting
aspect.
So
visibility
by
way
of
audit
events
is
great.
B
A
lot
of
especially
bigger
organizations
have
internal
comply
or
audit
teams,
because
that's
that's
the
the
I
guess
the
the
small
part
of
the
funnel,
where
we're
gonna
be
the
team
that
makes
sure
that
we're
compliant
with
these
one
two
three
n
number
of
frameworks,
but
we
are
kind
of
that
first
barrier
right,
so
we're
the
ones
who
are
gonna.
Ask
for
this.
These
evidence,
artifacts
we're
gonna,
be
the
ones
to
make
sure
that
policies
are
being
followed
and
enforced
and
so
generating
the
evidence.
Artifacts
could
be
anything
from
show
me.
B
Oh
I,
see
now
here
that
my
mural
is
actually
not
updated.
So
please
disregard
some
of
these
sticky
notes
for
now,
but
the
audit
reports
could
manifest,
as
anything
from
show
me
a
sample
of
the
last
six
months
worth
of
merger
quests,
and
show
me
that
each
of
those
merger
quests
had
an
issue
that
was
tied
to
it
or
associated
with
it
that
documents.
The
change
show
me
the
last.
B
A
You
know
multiple
frameworks,
that
organizations
need
to
be
in
to
adhere
to
and
those
distill
down
into
a
variety
of
compliance
controls
which,
ideally
we'll
be
able
to
you
know,
set
with
and
get
lab
to
allow
enforcement
of
different
behaviors
and,
in
your
instance,
like
this,
those
distill
down
into
audit
events,
which
will
which
we
can
kind
of
roll
up
and
are
reporting
in
at
the
reporting
level,
to
be
able
to
prove
to
a
third-party
auditor
that
these
behaviors
were
adhered
to
and
the
framework
was
was
followed.
I
is
it
this?
B
A
B
Absolutely
so
something
that
I'm
personally
very
passionate
about
is
our
internal
security.
Compliance
team
has
done
a
lot
of
great
work
mapping
what
we
call
internally,
the
gitlab
control
framework
to
right
now,
sock
to
sarbanes-oxley
and
generally
the
iso
standard
for
controls,
and
so
I
feel
that
there's
an
opportunity
for
gitlab
to
take
this,
a
very
credible
thought,
leadership
role
to
say:
we're
already
doing
the
work
to
consolidate
these
multiple
frameworks,
and
so,
if
we
can
distill
from
that
right,
we
say:
okay!
B
A
That
that
makes
a
lot
of
sense
if
we
iterate
on
that
sufficiently.
I
think
that
that
could
make
life
a
lot
more
simple
for
our
customers,
because
you
can
trust
the
GCF
to
stay
for
us
to
maintain
that
according
to
changing
standards-
and
it
can
kind
of
be
a
way
to
kind
of
abstract
away
a
lot
of
this
kind
of
the
complexity
around
maintaining
questions
around
South
to
Sox
and
I.
So
it
was
like.
Ideally,
you
know,
gitlab
can
be
the
the
framework
that
you
use
for
that
right.
B
Yeah
I
think
the
the
biggest
value
out
there
is
that
our
internal
security
compliance
team
is
already
going
to
be
constantly
keeping
up-to-date
with
this
as
part
of
our
own
compliance
efforts,
and
so
it
makes
sense
to
be
very
efficient
about
that
and
and
leveraging
their
hard
work
to
bring
value
to
our
coastal
customers.
I
should
say
yeah.
A
B
For
sure,
so,
I
think
for
compliance
controls
as
a
category.
The
focus
right
now
is
looking
at
what
are
the
features
we
can
add
that
could
eventually
become
these
resource
lists,
as
you
will
or
resources
of
controls.
So,
for
example,
if
we
can
in
if
we
implement
something
like
disable
self
approval
at
the
instance
level.
So
this
is
a
big
pain
point,
because
what
happens
is
you
have
individual
users
in
the
current
role
in
permission?
Schemas
that
may
be
part
of
their
job.
B
Responsibilities
is
to
is
to
deploy
code,
and
so
the
way
things
are
now
they're
able
to
go
in
and
modify
the
merge
request.
Approval
settings
push
code
then
re-enable
those
settings,
and
that
creates
this
critical
breakdown
in
the
separation
of
duties,
requirements
and
so
a
control
like
this,
where
we
say
you
know,
starting
with
self
managed
instance,
administrators
and
eventually
comm
feature
Perry.
If
admins
can
say
well
we're
gonna,
lock
this
down.
B
We're
gonna
require
that
at
a
minimum,
these
three
settings
for
preventing
the
approval,
merge
request
by
the
author
by
a
committer
and
they
can't
modify
the
approvers
list.
If
we,
if
we
start
there
and
say
we
think
these
are
the
three
most
critical
settings
within
this
particular
context,
that
prevents
non
administrators
from
modifying
that
wolven
theory.
We've
preserved
that
separation
of
duties
workflow,
so
things
like
that.
B
Well,
if
you
can
change
your
profile
name
in
theory,
you
could
say
well
that
wasn't
me
that
was
some
other
person,
that's
shown
in
your
audit
events
trail
and
if
you
don't
have
a
way
to
correlate
the
two
and
disprove
that
then
you're
not
maintaining
non-repudiation
and
therefore
your
audit
events
lose
some
integrity,
data
integrity
so
longer
term.
Where
I
see
this
going,
is
that
you
know?
If
we
have
all
of
these
features
implemented,
then
we
can
say:
okay!
Well,
maybe
these
these
first
three
features
comprise
what
we
say
is
GCF
control.
B
1.1,
maybe
the
next
three,
our
GCF
control
1.2,
and
so
we
can
then
provide
our
customers
with
an
experience
in
F
that
says
based
on
your
requirements,
you
know
these
controls
help
you
maintain
separation
of
duties.
These
controls
help
you
maintain,
non-repudiation,
etc,
etc,
and
then
we
create
this
very
customizable,
but
seamless
process
or
experience
of
then
defining
the
policies
that
have
to
be
enforced
within
your
get
live
environment.
That.
A
Have
we
considered
kind
of
like
a
way
of
like
showing
this
and
like
how
many
think
we
thought
about
the
user
experience?
I
know,
we've
talked
a
little
bit
about
in
the
past
about
like?
Is
there
a
way
of
maybe
showing
these
a
single
place
of
the
UI?
Is
that
something
that
we're
also
thinking
about
kind
of
planning,
yeah.
C
So
we've
actually
kind
of
started
some
research
on
this,
so
Matt
and
I
have
been
working
together
along
with
Katherine,
who
is
in
our
user
research
group
to
try
and
start
generating
in
some
direction
on
how
to
kind
of
merge
all
this.
So
we've
done
some
preliminary
work
in
terms
of
adding
the
compliance
controls
to
particular
sections
within
the
settings
of,
for
example,
we
have
in
the
admin
setting-
or
we
have
it
also
in
the
project
level.
Currently.
C
So
this
was
one
of
the
initial
research
proposal
who
are
doing
this
is
kind
of
the
initial
workflow
and
just
creating
a
new
project,
and
so
just
trying
to
think
about
where
we're
creating
these
compliance
protocols.
So
normally
you
would
create
a
project
within
the
project.
There
is
a
screen
that
allows
you
to
set
parameters.
C
You
have
your
project
listing
as
we
want
to
change
the
active
project
status.
So
we
would
select
the
project
from
here.
You
would
see
the
project
details
and
then
we
would
go
to
the
sir
computing
security
and
compliance
section
and
we're
kind
of
trying
to
id8.
What
would
could
this
feasibly
be?
Currently,
we
have
just
some
general
ideas,
we're
kind
of
again
in
the
research
phase,
but
this
would
be
the
initial
part
where
we
would
just
add
the
Gittler,
the
atlanta
control
framework
from
here
we
go
and
see.
If
these
were
now
compliant
or
not.
C
Once
you
activated
the
status
of
that
and
then
from
here
we
would
move
on
to
looking
at.
For
example,
the
merge
request
you'll
see
that
there's
a
notice
that
this
has
failed,
the
compliance
checks
once
this
has
been
established
and
all
this
again
is
kind
of
preliminary
research.
We're
just
trying
to
see
what
makes
sense
does
this
flow
create
any
sort
of
new
questions
and
that
we
haven't
thought
of
yet
or
any
new
problems
and
to
see
how
we
can
resolve
those
questions.
A
Yeah
I
love
that
vision,
I.
Think
that's
really
interesting.
I
love
the
idea
of
being
able
to
apply
a
framework
to
at
the
project
level,
and
then
it
could
see
it
kind
of
distilled
down.
You
know
to
the
merge
request
level
introduce
what's
complying
it,
not
that
you
were
about
to
show
it
in
an
issue
related
to
the
merge
request.
Sending
widget
do
you
might
like
sharing
your
screens
on
you.
Do
that
I'm.
First,
one!
That's
going
to
plenty
yeah.
B
B
So
it's
been
refined
a
bit
down
into
this
higher
fidelity
type
of
prototype,
and
so
we
think
that
there's
the
opportunity
to
add
in
this
compliance
settings
expandable
area
within
the
project
settings
that
would
then
allow
a
customer
to
say
yes,
I,
want
to
end
label
or
excuse
me,
enable
the
gate
live
control
framework
right
now
we're
looking
at
the
existing
features.
We
have.
That
makes
sense
our
seem
to
be
a
universal
ask
across
the
board,
such
as
disabling
self
approval
at
the
instance
and
soon
to
be
the
group
level
for
comm
users.
B
B
Simple
simple,
visual
artifacts
like
that
that
we'd
like
to
eventually
generate
CSV
exports
for
or
some
some
export
for,
simple
indicators
like
that
are
useful
for
an
auditor,
because
it
answers
the
question
of
what
you
say:
you're
enforcing
it
now
show
me
you
are,
and
the
visual
indicators
should
also
provide
that
detail
to
show
well
I,
guess
it's
already
kind
of
there
and
by
way
of
the
approvers
list
and
a
screenshot
of
those
settings
being
locked
down.
So,
for
example,
if
auditor
says
okay,
you
say
that
these
settings
are
enforced.
B
So
then
show
me
the
settings
and
the
settings
from
a
admin
view
should
be
in
theory
different
than
what
the
non
admin
sees
non
admin
would
be
unable
to
make
changes
which
an
author
would
ask
show
me
that
they
can't
make
changes
and
then
the
actual
indicator
on
the
merge
request.
Widget
would
show
that
we
are
tracking
that
this
was
in
force,
and
so
it's
kind
of
that
that
front
full
start
to
end
tracking
of
the
process
to
show
what
we
say.
You
do
show
me
you're,
saying
it
and
show
me
the
evidence.
B
A
That's
that
makes
a
lot
of
sense.
I,
really
like
the
way
that's
being
displayed
in
the
UI
I.
Think
that's
interesting,
I
think
one
thing
that
I'm
that
we
need
to
make
sure
that
we
we
consider
is
iteration
I,
think
that
you
know
when
we're
considering
these
frameworks,
they
can
quickly
like
roll
up
like
tons
of
different
requirements
and
controls.
I.
Think
it's!
A
Okay,
if
you
just
start
with,
you
know
one
if,
like
the
GCF
framework,
only
enforces
like
one
or
two
controls,
so
we
can
iterate
on
adding
to
them
and
just
talk
to
it
very
clearly
what
is
and
is
not
in
the
GCF,
because
I
think
that
iteration
could
be
really
hard
here.
If
we
just
kind
of
look
like
to
let
the
requirements
explode
for
these
frameworks
and
do
too
much
so
like.
B
B
Absolutely
I
agree
with
you:
a
hundred
percent,
the
the
first
settings
or
requirements
that
would
be
available
would
be
that
disable
self
approval,
I
think
realistically,
the
first
iteration
will
be
that
it's
available
only
to
self
managed
instance,
administrators
in
a
perfect
world.
You
know
the
the
waiting
would
be
small
enough
that
we
could
also
include
com,
feature
parity
because
I
know
this
is
a
pain
point
for
comm
customers
as
well,
but
I
think
realistically
would
be
iterating
on
that
self
managed
and
then
followed
by
feature
parity
to
comm
and.
A
B
B
You
I
don't
know
if
I'm
going
to
find
it
quickly,
but
there-there
is
an
issue
that
I'll
make
available
in
the
mural.
That's
in
the
slide
presentation
that
will
be
posted
with
this
video
that
links
to
that.
But
there
is
a
partner
issue
that
brings
disabling
self
approval
to
the
group
level
so
that
comm
customers
will
have
a
way
to
do
that.
Okay,.
A
Sounds
good
that
makes
sense
I'm
happy
to
take
that
on
to
a
separate
conversation,
but
glad
you're
thinking
about
both
and
trying
to
iterate
as
quickly
as
we
can
by
starting
starting
where
we
can
make
sense.
I
think
that
that
kind
of
concludes
this
conversation
thanks
a
lot
for
the
help.
If
people
want
to
like
dive
into
these
issues
and
these
epics
in
the
direction
a
little
bit
deeper,
you
know
we're
gonna
kind
of
go
yeah.
B
So
I'll
provide
I.
Think
I
can
provide
a
public
mural
link,
I
assume,
but
I'll
provide
at
least
the
PowerPoint
slide.
That's
linked
within
the
mural
link.
Here
the
presentation
just
summarizes
what
we've
talked
about
here,
separated
by
category
so
the
compliance
frameworks,
compliance
controls,
audit
events
and
audit
reports
so
that
detail
we
made
available
in
the
video
description
awesome.