DevOps tools and principles have revolutionized IT across many industries in recent years. But companies saddled with requirements such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI-DSS), for example, tend to be more cautious when it comes to adopting cutting-edge solutions.
There are specific industries—health care and finance are two—that are strictly regulated and more reluctant to change. But even beyond those industries, there exist various compliance frameworks under which the rapid pace of change associated with DevOps may be seen as a risk. The flip side of that coin is that the agility and automation associated with DevOps actually might streamline and simplify compliance.
The DevOps and Compliance Challenge
Ken Cheney, vice president of Business Development at Chef, agrees. “Today companies are faced with increasingly detailed security and compliance requirements. For organizations in highly regulated industries like health care, financial services and the Federal space, detailed compliance can impede the ability to innovate.”
One of the biggest concerns DevOps organizations fear is that compliance and audit will create a “Wild West” ecosystem where everyone has access to all production systems and data. However, DevOps doesn’t have to automatically result in systems access chaos. In fact, the use of orchestration actually can lend a hand to making a more compliant organization where nobody gets direct access to production systems.
“Instead, mature DevOps organizations actually remove all direct administrative access to systems,” says Andrew Storms, vice president of Security Services at New Context. “The ability to make changes all go through a central orchestration tool, where access can be abstracted forced through a change management automation system.”
Better Compliance Through Automation
The consensus among DevOps experts is that DevOps does more to help compliance than hurt it. It isn’t so much a question of whether a regulated business should or shouldn’t adopt DevOps tools and principles—it’s more a question of how.
“DevOps tools and practices establish compliance through consistency. They help improve compliance by reducing complexity and variability within the environments,” notes Derek Weeks, vice president and DevOps Advocate at Sonatype. “For test and operations teams, configurations, tests and deployments can be automated to ensure execution is consistent. For development teams, consistent versions of binaries ensures use of compliant components, leading to more compliant applications. The automation capabilities of DevOps tools enable consistent, automated execution of compliant practices.”
Rather than conflicting with such initiatives, DevOps can be a crucial element in simplifying and streamlining them. “The key to making compliance an advantage is to specify compliance requirements as code, allowing it to be tested just like any other piece of code in the software development pipeline,” Chef’s Cheney says. “Previously manual verification tasks—often tracked through spreadsheets or other arduous methods—can now be proactively addressed as embedded tests in an automated workflow. Security risks are brought to the surface early for faster remediation, so out-of-date software is identified and updated quickly.”
Weeks concurs: “Not only does DevOps introduce more consistency and reduced complexity of operations, it also allows for fast feedback loops when things are identified as out of compliance. Waterfall cycle times that might have required weeks or months to fit changes or corrections into systems can now be achieved in a fraction of the time in DevOps practices.”
It’s important for DevOps organizations to think a bit differently when it comes to compliance, though. They may be forced to implement the same types of controls using different tools or slightly different processes to conform with specific requirements. But Storms notes DevOps ultimately is a huge benefit for achieving and maintaining compliance.
“Gone are the days of showing the auditor your physical paper trail of server build checklists,” he says. “Instead, businesses need to learn to work with their auditor to find new solutions that, in the end, actually enhance and optimize the process.”
Rapid change can seem scary to IT and security admins. The pace of DevOps may seem to be in conflict with achieving and maintaining compliance, at least at face value. Done properly, though, DevOps enhances and automates compliance to make it as streamlined and simplified as possible.