Solving the cloud compliance puzzle: Insights from Intuit's journey

The benefits of cloud computing are many: cost savings, security, flexibility, increased collaboration, quality control, loss prevention, and others. However, the cloud compliance puzzle continues to confound many.

Nandish Madhu, Director of Product Development at Intuit, delved into the complexities of compliance in cloud technology at TechSparks 2023 Bengaluru edition. "Compliance is such a huge thing. And managing compliance in the cloud at scale is a really formidable challenge,” he said, at India’s influential startup-tech conference.

During a fireside chat moderated by the Executive Creative Director at YourStory Media, Ryan Frantz, Madhu discussed the complexities of managing compliance in a large-scale cloud environment. Intuit's cloud migration, initiated over five years ago, had its share of challenges. The company initially explored a 'lift and shift' approach but later pivoted to focus on refactoring and architecting applications for cloud-native solutions. 

Madhu’s insights revealed the importance of addressing these challenges early on. Beyond technical hurdles, skillset gaps and cost management were crucial issues that arose, echoing the common struggles faced by organisations transitioning to the cloud.

However, one of the standout challenges discussed was compliance itself. Operating in the cloud required an entirely different approach to security and compliance compared to traditional data centres. The dynamic nature of the cloud, with constant changes and a multitude of resources, posed unique difficulties.

“How do you deal with security and compliance? Operating in a data centre versus cloud is totally different... because it's a dynamic world here,” Madhu said.

Navigating the cloud compliance landscape

The scale of Intuit's cloud operations is impressive, with over 2,000 accounts and more than 10 million resources to manage. This immense infrastructure necessitates a daily audit of at least 20 million compliance checks. Compliance frameworks like Payment Card Industry Data Security Standard (PCI) and National Institute of Standards Technology (NIST) demand continuous assessment of controls, such as multi-factor authentication, which can be intricate in a dynamic cloud environment. 

Real-time environment tracking is vital for compliance, serving diverse stakeholders with specific needs like business leaders, developers, and security teams. Madhu emphasised the need for sophisticated analytics and reporting dashboards to meet these complex demands.

Compliance is about spotting and fixing issues, but the real headache is sorting priorities and notifications. With a flood of non-compliant assets, you're at risk of drowning in issue-tracking JIRA (A tool primarily used for bug tracking, issue tracking, and project management.) tickets and slowing down cloud adoption, which should be all about speed. “So how do you handle some of these situations? It's purely because of the volume," he emphasised.

Charting a path to cloud compliance innovation

Madhu and his team recognised that treating compliance solely reactively could stifle innovation. Their solution? Exploring innovative approaches. They introduced auto-remediation, which automatically fixed certain compliance issues without disrupting operations. Their in-house creation, the Automated Compliance Platform (ACP), effectively scaled to meet compliance needs. 

However, the game changer was Intuit’s web application "paved road". It simplified and standardised resource deployment in the cloud, giving developers easy access to ensure compliant configurations, security measures, and cost optimisation, and allowing them to focus on their core work.

The future of cloud compliance

Looking ahead, Madhu highlighted the potential of Gen AI and its impact on cloud compliance. He emphasised the significance of shifting compliance checks earlier in the development pipeline, focusing on build-time policies. This approach empowers developers to spot compliance issues during development, preventing non-compliant code from progressing to production. 

He also floated an exciting idea of real-time education for developers within their Integrated Development Environments (IDEs), promoting compliance and best practices in alignment with the organisation's vision.

A culture of innovation and transformation

Intuit's success in transforming its IT teams into value-driven powerhouses is strongly rooted in its unique organisational culture. Madhu stressed the importance of ensuring that every employee comprehends the company's vision and the real-world problems it aims to solve. This shared understanding empowers Intuit's teams to proactively address challenges. 

He advocated for the "working backwards" principle, which involves defining the problem statement and success metrics before diving into technology solutions.

Madhu also underscored the significance of leading by example, fostering a culture of curiosity and continuous learning in Intuit's journey.