Unlocking Speed and Efficiency with Compliance as Code

A key element of DevOps is the ability to build security and compliance into the application process -- continuous compliance.

Nathen Harvey, Vice President of Community Development, Chef

July 13, 2017

4 Min Read
Image: Shutterstock

Are organizations effectively tackling the costly cybersecurity threats that are plaguing today’s data centers? It depends on who you ask. Companies across varying industries -- Starbucks, Aetna, JPMorgan Chase, Home Depot and more -- are working together to establish shared principles that better assess company preparedness when it comes to cyber threats. New York state has instituted first-of-its-kind regulations to protect consumer data. The EU General Data Protection Regulation becomes effective in 2018 in an effort to enforce responsible data governance. We’re certainly making headway.

But at the same time, current security processes do not enable companies to keep pace with the speed and quantity of hackers, and the growing number of compliance regulations.

Everyone wants to be safer, but regulatory burdens and compliance add extra drag on the system, and controls that live in notebooks, spreadsheets and PDFs are difficult to verify. Being compliant often comes at the detriment of speed. In order to marry the need for speed with the need for security, companies need to manage compliance as code.

Consequences of slow security

According to the Data Breach QuickView report, 2016 saw more than 4,000 data breaches, a record high. And it’s not just hackers costing large enterprises money in the security department. The recent three-day IT outage at British Airways lost the airline $20 million in cancelled flights and an estimated $105 million in potential sales that were never made.

Scanning production systems for compliance, instead of continuously testing against security and compliance measures throughout the entire development process, means organizations find violations when it’s already too late. This mistake is expensive, as shown by British Airways, the recent WannaCry attack and the recurrence of Petya, among countless others.

With financial repercussions looming, it’s no wonder companies see the value in proper compliance checks. However, assessing the state of compliance can be a challenge. According to a recent Chef survey of IT practitioners and decision-makers, 22% of respondents test compliance inconsistently and 23% don’t test at all. What is causing this lack of action?

In working with various organizations, I’ve observed that today’s audits are events that are planned for and require significant time and effort for everyone involved. It can be difficult to directly tie the effort involved in these audits to real customer- and business-value. As such, an audit is seen as distracting and taking away too much time from the “real work” at hand.

[Nathen Harvey and other DevOps experts headed up the DevOps track at the recent Interop ITX conference.]

Others seem to have noticed this too. Based on a Gartner report, 81% of IT operations professionals say they believe information security policies slow them down. Add to this Chef’s finding that faster deployment is the number one priority to boost overall performance, and it’s clear that improving the speed within the security and compliance vertical must be addressed.

The naive approach is to increase the time between audits to alleviate some of this pain, just like we used to deploy less frequently because it was so difficult.

Before we moved faster, every deployment was a significant event that included a lot of ceremony: pre-release announcements and meetings, all-hands-on-deck while the updates are deployed, long hours spent working outside of normal business hours. As we move towards continuous deployment, these “events” become a normal part of our everyday work.

Compliance_shutterstock_352087790.jpg

Continuous compliance is the solution

Chef found 73% of survey respondents which have regulatory standards to follow wait until after development work has begun to assess compliance. When speed and regulations are imperative for building and deploying apps, it’s a risky oversight to leave compliance and security to the end.

With continuous compliance, regulations are converted into code and security assessments are completed as part of the normal development workflow. Running security assessments becomes as common as running unit tests. This reimagined workflow enables teams to know, at any point, if a security vulnerability is present, allowing for a more proactive approach to security assessments.

While this process is not a safeguard against cyberattacks like Heartbleed or even internal outages as experienced by British Airways, it does allow for faster remediation -- we are talking hours instead of weeks and months -- ensuring end-users, and the bottom line, are less impacted. In the event a breach happens, it’s estimated the average dwell time before identifying a network breach is approximately 200 days. Do you think your customers would find it acceptable if you sat on a problem for more than six months before attempting a fix?

Continuous compliance provides a better solution against security issues and fosters an environment in which developer, infrastructure and security teams work together. Take a look at how your team is implementing security measures and compliance testing. Can you benefit from a process that is faster and more secure?

About the Author

Nathen Harvey

Vice President of Community Development, Chef

As Vice President of Community Development at Chef, Nathen helps the community whip up an awesome ecosystem built around the Chef framework. He also spends much of his time helping people learn about the practices, processes, and technologies that support DevOps, Continuous Delivery, and web-scale IT. Prior to joining Chef, Nathen spent a number of years managing operations and infrastructure for a number of web applications. He is a co-host of the Food Fight Show, a podcast about Chef and DevOps. Working with, and as a part of, the Chef community, he has been spreading the word about DevOps for quite a while.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights