# The $0 Compliance Stack

# The Lie We’re All Sold

> “You need expensive GRC tools to pass enterprise audits.”

Reality:

* Auditors don’t care about **tools**
    
* They care about **controls, traceability and evidence**
    

**Compliance ≠ Software**  
**Compliance = Verifiable system behaviour**

---

# Core Philosophy: Compliance-by-Construction

Instead of:

* Manual screenshots
    
* Jira tickets
    
* Excel risk registers
    

Design systems where:

* **Evidence is produced automatically**
    
* **Controls are enforced at runtime**
    
* **Audits become read-only queries**
    

---

# The Compliance Stack

## 🔐 Identity & Access (ISO A.5, A.9 | PCI 7, 8)

| `Control Goal` | `Open Source` |
| --- | --- |
| Central identity | **Keycloak** |
| MFA / SSO | Keycloak + WebAuthn |
| Service identity | SPIFFE / SPIRE |
| RBAC enforcement | Kubernetes native RBAC |

## 📦 Source Control & CI/CD (ISO A.8, A.12 | PCI 6)

| `Control` | `Open Source` |
| --- | --- |
| Git integrity | Git + signed commits |
| CI/CD | GitHub Actions / GitLab CI |
| Secrets | HashiCorp Vault |
| IaC scanning | Checkov |
| SAST | Semgrep |

## 🐳 Runtime & Infrastructure (ISO A.12, A.13 | PCI 2, 10)

| `Area` | `Open Source` |
| --- | --- |
| Orchestration | Kubernetes |
| Network policy | Cilium |
| Runtime security | Falco |
| Admission control | Kyverno |
| eBPF telemetry | Cilium + Falco |

## 📊 Logging, Monitoring & Evidence (ISO A.12, A.16 | PCI 10)

| `Need` | `Open Source` |
| --- | --- |
| Logs | Loki |
| Metrics | Prometheus |
| Traces | OpenTelemetry |
| Dashboards | Grafana |
| SIEM-lite | Wazuh |

## 📁 Evidence Storage (ISO A.7, A.18 | PCI 12)

| `Requirement` | `Open Source` |
| --- | --- |
| WORM storage | MinIO (Object Lock) |
| Retention policies | Lifecycle rules |
| Audit trails | Hash-based integrity |

---

# Real-World System Design

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1769459435741/4ccf3e65-5ece-4a23-ae31-a407ef14cfe5.png align="center")

Key Insight: ***<mark>Auditors never touch production; they interrogate evidence APIs</mark>***

---

# ISO-27001 & PCI-DSS Control Mapping

### Example: ISO-27001 A.12.4 (Logging)

| `Requirement` | `Implementation` |
| --- | --- |
| Event logging | Loki |
| Access logs | Kubernetes Audit Logs |
| Integrity | Object Lock |
| Review | Grafana dashboards |

### Example: PCI-DSS 10.2 (Audit Trails)

| `Requirement` | `Implementation` |
| --- | --- |
| User actions | Keycloak + K8s audit |
| System events | Falco |
| Retention | MinIO Object Lock |
| Alerting | Prometheus |

---

# What Auditors Actually Said

> “This is one of the cleanest evidence trails we’ve seen.”

Why?

* No human-generated artifacts
    
* No subjective interpretation
    
* Everything timestamped, immutable and reproducible
    

---

# Why This Scales Better Than Paid GRC Tools

| `Paid GRC` | `$0 Stack` |
| --- | --- |
| Manual updates | Auto-generated |
| Screenshot culture | Telemetry culture |
| Lagging indicators | Real-time controls |
| Vendor lock-in | Architecture ownership |

---

# The Hard Truth

> If your compliance fails when Jira is down, **you were never compliant**

In conclusion, this isn’t a “cost-saving hack”. It’s how **high-trust, high-scale systems** are designed when:

* Security is non-negotiable
    
* Audits are frequent
    
* Engineering time is sacred
    

so overall, **Compliance didn’t get cheaper. It just got engineered ;)**
