Chef today announced it will make it easier for organizations that adopt its IT automation framework to stay compliant with mandates such as the Federal Information Processing Standards (FIPS), Secure Technical Implementation Guidelines (STIG) and the Center for Internet Security (CIS) certification.
John Snow, senior software development engineer and federal content lead for solutions engineering at Chef, said it’s incumbent on the provider of an IT platform or application to make sure their offerings comply with widely required mandates. FIPS compliance, for example, not only applies to federal agencies, but also any organizations that interacts with those agencies.
Specifically, Chef said it has achieved FIPS compliance along with providing an implementation of STIG profiles for RHEL 7 and Windows Server 2016 in Chef InSpec and achieving a (CIS) certification for Amazon Web Services (AWS) Foundations Benchmarks Level 1 and 2 in Chef Automate. Chef claimed it is the first vendor to achieve CIS certification across AWS, Microsoft Azure and Google Cloud Platform.
Snow said Chef was able to achieve that goal in part because of the time and effort it put into developing a parser that enabled the company to approach compliance as a programmable extension of its development process. That translation process is required because most compliance mandates are written for auditors by auditors, not by IT operations teams. Chef will also leverage that capability to ensure its platforms remain current with any future updates to the compliance mandates its supports, said Snow.
Chef has been making a case for treating compliance as code for several years now. Any given compliance mandate typically consists of a set of controls that need to first be put in place and then tested and validated. Rather than trying to achieve that goal relying on manual processes that don’t scale, Chef contends achieving compliance should become a natural extension of best-in-class DevOps processes.
It’s not clear yet to what degree compliance may become integrated within DevOps. But recent advances in DevSecOps suggest it’s only a matter of time before responsibility for implementing compliance controls “shifts left” along with security control. Compliance teams may define what controls will need to be put in place. But responsibility for implementing those controls as part of any quality assurance process is moving toward DevOps teams. Developers, however, will take on that responsibility only when a means to programmatically implement those controls is readily available.
The long-term economic implications of that shift may prove to be profound. Organizations of all sizes incur massive costs both implementing compliance controls and having them audited by a third party. As the compliance process becomes more automated, not only does it become easier to implement controls at scale, but the documentation required to pass an audit is generated automatically. Given that most auditors charge per hour for their services, the savings derived from limiting the time and effort associated with preparing for and then passing an audit could be substantial. The challenge and opportunity is educating the DevOps team on not just how much money might be saved for the company, but also how much of that money might be reinvested in advancing DevOps adoption.