ChefConf is the largest community gathering and educational event for teams on the journey to becoming fast, efficient, and innovative software-driven organizations. In other words, you and your team! We want to hear from you!
ChefConf 2019 will take place May 20-23 in Seattle, Washington, and we want you to present! The ChefConf call for presenters (CFP) is now open. One of the tracks you might consider proposing a session for is the Compliance Automation track.
Every system in your environment is subject to some sort of compliance controls. Some of those controls, such as PCI-DSS, HIPAA, and GDPR, may be prescribed by an external regulatory body. Other controls may be prescribed by teams within your organization, such as the InfoSec team. There may even be controls that you do not think of as “compliance”, such as a control or policy that states agents should receive updates daily. Defining, modeling, and managing these controls as code is the only way to efficiently and continuously audit and validate that standards are being met.
One of the first steps to automating an environment is getting a handle on the current state of that environment. InSpec is a human-readable language for specifying compliance, security and other policy requirements. Capture your policy in InSpec tests and run those tests against remote nodes to easily assess whether those nodes are configured properly. Running these tests across the entire fleet is as easy as adding the audit cookbook to your nodes’ run lists. The chef-client will send InSpec test results as well as lots of information about the node (such as ohai attributes) off to Chef Automate. From there, you will be able to quickly detect and assess which nodes require intervention or remediation and which are compliant with the prescribed policies.
Presenting about how InSpec helped you with your compliance needs can be extremely powerful to those just starting their compliance journey. For example:
Chef Automate ships with over 80 compliance profiles, many based on the Center for Internet Security (CIS) Benchmarks. The community is sharing compliance profiles on the Chef Supermarket. You may be writing your own compliance profiles to capture the unique requirements for your business and infrastructure. As a community, the practices for managing compliance profiles are still emerging. For example, profile inheritance makes it easy to share profiles across your fleet and even across the community. Profile attributes allow authors to abstract the data associated with a profile. Metadata in controls, such as impact, tags, and external references provide additional context for deciding what to do when there is a failure.
InSpec ships with a myriad of resources for asserting the state of your infrastructure. When these resources aren’t enough, or you want to share a resource with your colleagues for use in multiple profiles, you may find it necessary to create custom resources. These resources may cover components not available with the standard resources or may be a way of creating more clear compliance profiles.
InSpec is certainly used to model and assess compliance controls. However, it also leads a double life as a very powerful framework for modeling integration tests for infrastructure code. Tools like Test Kitchen make it easy to spin-up local infrastructure for testing and validating the results of executing that code. Kitchen-inspec is a plugin that executes InSpec tests during the validation phase of the Test Kitchen lifecycle. This integration testing is done before any code changes are submitted to the production environment. Of course, there are other frameworks that allow for similar integration testing, such as pester, BATS, or Serverspec.
Assessing and asserting the state of nodes in your fleet is important but perhaps you also have policies that govern how you configure and consume the cloud. These policies may govern how to manage things like security groups, user authentication, and resource groups. In addition to cloud concerns, you may have policies that describe the way applications should be configured. Do you have policies that cover the configuration of your database servers, application servers, or web servers? InSpec is one way to capture these policies as code and regularly assess the state of your cloud and applications.
Automating compliance is a relatively new practice and the tools available are quickly evolving. How are you getting started with compliance automation? Have you started with out-of-the-box profiles or custom profiles? Simple integration tests or full compliance profiles? You do not need to be an expert to help others get started! Your experiences getting started with compliance automation are worth sharing, even if as cautionary tales. ChefConf is a great place to help fellow community members get started on the right foot.
DevOps has always been a cultural and professional movement, not a tool. Of course, there are tools, like git and Chef, that help advance the practices of the movement. Tool choices reinforce and amplify the culture we have. Compliance automation allows us to welcome more people into the DevOps community. Automation increases speed and efficiency while simultaneously decreasing risk in our environments. Sometimes people approach this automation with a bit of skepticism. The role of information security can be fundamentally changed by embracing the collaborative nature of DevOps and the automation of security practices.
The ChefConf CFP is open for the following tracks:
Your story and experiences are worth sharing with the community. Help others learn and further your own knowledge through sharing. The ChefConf CFP is open now. Use some of the questions posed here to help form a talk proposal for the compliance automation track.
Submit your talk proposal now! The deadline is Friday, January 11, 2019 at 11:59 PM Pacific time.