CI/CD for Secure Cloud-Native Deployments in Regulated Enterprises
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V5I2P121Keywords:
CI/CD, Devsecops, Software Supply-Chain Security, Policy-As-Code, Zero Trust, Kubernetes, Regulated Compliance (HIPAA/GDPR/PCI DSS), SBOM, SLSA, DORA MetricsAbstract
Regulated companies must quickly deliver software while showing that they comply with security and privacy requirements. This paper describes a DevSecOps-aligned CI/CD framework focused on secure cloud-native deployments that incorporates policy-as-code, software supply chain assurance, and runtime governance for serverless and Kubernetes environments. It integrates flexible policy controls for secure build step frameworks that include artifact signing, SBOM generation, provable provenance, vulnerability and secret scanning, active admission controls with OPA/Gatekeeper and image attestation, and compliance automation with continuous controls for HIPAA, GDPR, PCI DSS, SOC 2, and ISO/IEC 27001. Compliance is managed with a monitoring plan and enforced during build and release processes under a zero-trust framework, which incorporates least-privilege identities, just-in-time approvals, and partitioned environments. Incremental delivery methods, SLO gates on canary and blue/green deployments, and progressive delivery methods control blast radius and change failure risk. This paper also describes a control-point reference architecture defining zones for code, build, deploy, and runtime; a policy catalog that aligns technical criteria with auditable controls; and evaluation using DORA metrics, mean time to remediate vulnerabilities, policy-violation rate, and supply-chain risk scores. The healthcare and financial services case studies show a reduction in change lead time and policy drift, an increase in deployment frequency, hardening of the software supply chain, and no degradation in developer productivity.The results demonstrate that security can be shift-left and continuously verified, which allows compliant, rapid, and resilient releases even in regulated environments.
References
[1] Azad, N., & Hyrynsalmi, S. (2023). DevOps critical success factorsA systematic literature review. Information and Software Technology, 157, 107150. DOI: https://doi.org/10.1016/j.infsof.2023.107150
[2] Beetz, F., & Harrer, S. (2021). GitOps: The evolution of DevOps? IEEE Software, 39(4), 70–75. DOI: https://doi.org/10.1109/MS.2021.3119106
[3] Hilton, M., Tunnell, T., Huang, K., Marinov, D., & Dig, D. (2016). Usage, costs, and benefits of continuous integration in open-source projects. Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, 426–437.
[4] Faustino, J., Adriano, D., Amaro, R., Pereira, R., & da Silva, M. M. (2022). DevOps benefits: A systematic literature review. Software: Practice and Experience, 52(9), 1905–1926. DOI: https://doi.org/10.1002/spe.3096
[5] Forsgren, N., Humble, J., & Kim, G. (2018). Accelerate: The science of lean software and DevOps: Building and scaling high performing technology organizations. IT Revolution.
[6] Humble, J., & Farley, D. (2010). Continuous delivery: Reliable software releases through build, test, and deployment automation. Pearson Education.
[7] Kormaník, T., & Porubän, J. (2023, October). Exploring GitOps: An approach to cloud cluster system deployment. In 2023 21st International Conference on Emerging eLearning Technologies and Applications (ICETA) (pp. 318–323). IEEE. DOI: https://doi.org/10.1109/ICETA61311.2023.10344182
[8] Vasilescu, B., Yu, Y., Wang, H., & Devanbu, P. (2015). Quality and productivity outcomes relating to continuous integration in GitHub. Proceedings of the 10th Joint Meeting on Foundations of Software Engineering, 805–816.
[9] Saleh, S. M., Madhavji, N., & Steinbacher, J. (n.d.). A systematic literature review on continuous integration and deployment (CI/CD) for secure cloud computing.
[10] Throner, S., Hütter, H., Sänger, N., Schneider, M., Hanselmann, S., Petrovic, P., & Abeck, S. (2021, August). An advanced DevOps environment for microservice-based applications. In 2021 IEEE International Conference on Service-Oriented System Engineering (SOSE) (pp. 134–143). IEEE. DOI: https://doi.org/10.1109/SOSE52839.2021.00020
[11] Roopa, P., & Shankar, K. U. G. (2020). Financial statement analysis of public sector banks selected for mergers using CAMELS rating system. International Journal of Management (IJM), 11(10). Retrieved from: https://iaeme.com/Home/article_id/IJM_11_10_124
[12] Sojan, A., Rajan, R., & Kuvaja, P. (2021, November). Monitoring solution for cloud-native DevSecOps. In 2021 IEEE 6th International Conference on Smart Cloud (SmartCloud) (pp. 125-131). IEEE.
[13] Theodoropoulos, T., Rosa, L., Benzaid, C., Gray, P., Marin, E., Makris, A., ... & Tserpes, K. (2023). Security in cloud-native services: A survey. Journal of Cybersecurity and Privacy, 3(4), 758-793.
[14] Ugale, S., & Potgantwar, A. (2023). Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOps. Engineering Proceedings, 59(1), 57
[15] Kertész, D. R., Farkas, K., & Szabó, G. (2021). Best Practices of Cloud Native Application Development. Bachelor of profession’s thesis, Budapest University of Technology and Economics, Budapest.
[16] Roopa, P., & Nishitha, P. (2021). Covid Impact on IPO in SME Platforms in India: Before and After the Lock Down. Pacific Business Review International, 14(6). Retrieved from: http://www.pbr.co.in/2021/December1.aspx
[17] Roopa, P., & Nishitha, P. (2023). An analysis on short run performance of ipos issued during 2020-22. SMART Journal of Business Management Studies, 19(2). https://doi.org/10.5958/2321- 2012.2023.00015.5
[18] Y.Suneetha, P.Roopa, G.Latha (2024) Exploring the influence of customer experience on the link between Financial factors and Customer satisfaction in insurance services. Library Progress International,44(3), 27495-27509. Retrieved from: https://bpasjournals.com/libraryscience/index.php/journal/article/view/3523
[19] Freedom Pollard, Max. (2024). Revisiting the “Camel and the Needle” A Philological Recontextualization of Phoenician Letter Nomenclature. Journal of Historical Linguistics. 10.5281/zenodo.14848051. http://dx.doi.org/10.5281/zenodo.14848051.
[20] Yang, K. (2021). Disclaimer as a metapragmatic device in Chinese: A corpus-based study. Journal of Pragmatics, 173, 167-176. https://doi.org/10.1016/j.pragma.2020.12.011
