You are familiar with Progress Chef Infra and its remarkable infrastructure management capabilities. Frequent users must also be aware of the ‘Compliance Phase’ capability of Chef. The Compliance Phase enables compliance and audit reporting using the Chef InSpec as part of any Chef Infra Client run. This capability allows you to run your existing infrastructure management and execute Chef InSpec compliance code using a single client, pipeline and development process.
The Chef Infra Compliance Phase represents a shift from the traditional methodology of ‘Infrastructure as Code’ to ‘ Policy as Code.’ By combining policy as code with Chef Infra Client, all the teams in your organization can work together in a unified framework. With the Chef Compliance Phase, you can:
- Develop and test infrastructure and compliance policy locally using Chef Workstation
- Enforce compliance in your infrastructure using Chef Infra Client
- Aggregate data and view your overall status using Chef Automate
- Promote collaboration and efficiency between teams in your organization
- Make changes easily and safely
Using the Compliance Phase means you don't have to install Progress Chef InSpec in addition to the Infra client on all your nodes.
In this blog, we illuminate some of the real-world compliance-related business cases that can be effectively addressed with the Compliance Phase capability. These cases include maintaining adherence to IT compliance and security policies, tracking changes in compliance status over time and analyzing the impact of new policy rollouts.
Tracking Policy Adherence
Using the Chef Compliance Phase, your organization can track the level of adherence to IT compliance and security policies. You can scan your infrastructure based on a selected CIS benchmark and get a compliance report. Such reports provide you with evidential data that can verify your adherence to compliance policies.
You can set the Compliance Phase execution as a monthly (or other suitable periods) run and periodically check how you compare against the CIS benchmark. You can apply remediation measures for non-compliant policies by triggering an automated remediation workflow. This will ensure that your systems are always in compliance with your organization's policies and that changes are made in a controlled and consistent manner.
Analyzing the Impact of a New Policy Rollout
If your organization plans to implement a new policy to safeguard your system's security and is unsure about the outcome of implementing the policy, the Compliance Phase can be of immense help. The policy you plan to roll out can be set up as waiver controls in the Compliance Phase. Using waivers will not trigger an alert regardless of whether the controls pass or fail, but you will be provided with an understanding of the state of your fleet, you will be provided with an understanding of the state of your fleet.
You can also compare the actual state of the infrastructure with the desired state. This way, you can test your production environment without causing any disruption. It also allows you to get a qualitative assessment of your future compliance state if the policy is rolled out.
Increasing Compliance Coverage
In the DevSecOps world, the DevOps engineers responsible for testing the policies are not responsible for fixing the non-compliance issues. However, the compliance teams regularly inquire with the DevOps teams to ensure no gaps in compliance.
Compliance scans run in the Compliance Phase using the ‘waivers’ feature, which can result in exceptions for specific controls for a given timeframe. As a result, you can generate reports, export them and alert compliance stakeholders on the duration (number of days or hours) left to fix the failed controls. You can also report on a trend of controls failing consistently for a long time. The scan reports will allow you to send targeted communication to teams responsible for maintaining compliance.
Moreover, you have proof and evidential data to show management that you have reminded the responsible teams and encouraged remediation. Making the collected data available to as many stakeholders as possible is crucial to maximizing the benefit. With Chef, this is easier since it has integrations with ServiceNow, Splunk and Kibana to help accomplish this. The scan reports can be easily exported to these external systems.
Asset Management and License Coverage
Chef Compliance Phase capability also helps you effectively manage your assets and track license coverage. For instance, you may have purchased a license for a software tool that needs floating licenses or licenses tagged to CPU usage or even the number of users each month. Let’s say, at the end of the month, you need to provide evidence of the number of people who used it. It is quite simple to get this information with the Compliance Phase.
These checks can be ‘coded’ and run monthly or weekly as you deem fit. They can also collect evidence of utilization. For instance, every time the Compliance Phase is run, it can check if a specific software is installed on a machine and the number of CPU cores available. This way, you can periodically generate evidence of license coverage. Therefore, a compliance audit is not an annual or half-yearly activity for you; it is a continuous process, and you have all the evidence of your compliance posture handy whenever you need it.
In some cases, employees use non-licensed software assets or software with an expired license. How would you keep a check on this behavior? With the Compliance Phase, you can run pointed scans to check for the availability or unavailability of a specific version of an asset. Based on the results, you can apply appropriate remediation measures.
Achieve Continuous Compliance with Compliance Phase
The Chef Infra Compliance Phase represents a key advancement in policy enforcement and compliance management within the IT infrastructure. By integrating the compliance scans of Chef InSpec into the Chef Infra Client run, organizations can transition from traditional Infrastructure as Code to Policy as Code. This can foster collaboration, consistency and accountability across teams.
Through the Compliance Phase, businesses can track policy adherence, analyze the impact of new policies, increase compliance coverage and effectively manage assets and license coverage. This continuous and proactive process enables organizations to maintain a robust security posture and effectively maintain compliance requirements.
Finally, the Compliance Phase empowers organizations to enforce policies effectively, mitigate risks and consistently maintain compliance throughout their infrastructure, enhancing security and fostering trust with stakeholders.
Resources
About Chef Compliance Phase
Webinar – Chef Compliance Phase Improvements