Compliance@VelocityJames Casey

james@chef.io

The promise of the coded business

Transformation to high-velocity

Regulatory compliance frameworks

OFAC USA PATRIOT ActGramm-Leach-Bliley

ActRed Flags Rule

Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank

False Claims Act HIPAAEuropean Central Bank

regulationsPrudential Regulation

Authority

Financial Conduct Authority

HITECH PCI DSS

The conflict between compliance and velocity

The compliance challenge

The velocity challenge

The compliance cycle

Reconciling compliance and velocity

The automation cycle

Analyze

• Be clear about what the desired system outcome actually is

• Take regulatory requirements and enterprise policies into account

• Choosing the desired state and expressing it at an appropriate level of detail can be more challenging problems than writing the automation code itself!

Specify

• Closing the gap between specifying and implementing regulations requires an unambiguous expression of the requirement in human- and machine-readable form.

• A domain-specific formal language (DSL) can achieve this level of clarity and precision.

• Chef recipes, tests and compliance rules are ideal for the task.

Example

package 'apache2'

service 'apache2' do action [:start, :enable]end

Test

• Automated tests give confidence that the requirement has actually been met

• Writing the tests first give developers and system administrators a clear set of standards that must be met for compliant systems.

• Automated tests scale better than manual tests.

Example

Certify

• A separate certification step is not always required• In some cases, regulatory requirements or

organizational processes do require a final human sign off

• The better your tests, the shorter the certification step can be

• Be sure not to confuse certification and testing

The changing role of the compliance officer

A single accelerated cycle

Chef Analytics for Compliance

"Built-in controls support quality and empowerment initiatives, avoiding unnecessary costs and enabling quick response to changing conditions."

- Davis & Schiller, "IT Auditing: Using Controls to Protect Information Assets", 2nd Ed.

To Operate at Velocity, Teams Need:

A policy application & execution engine

Chef client/server

A system to deliver changes at speed,

safely, reliably, predictably

Chef Delivery

A system to visualize all changes

happening in real-time, whether

automatic or manual

Chef analytics: Insights

A system to enforce node state

and report on violations for compliance

reasons

Chef analytics: Compliance

Chef Insights

• Provides visibility into changes happening across your entire infrastructure

Chef Analytics for Compliance

• Make changes at speed while ensuring infrastructure is compliant with formal or informal policy

Integrations and Notifications

• Send data to external systems like Splunk

• Send arbitrary events to messaging or alerting systems

Chef Compliance

How it Works

control_group 'services' do

control 'Windows Firewall' do

let(:firewall) { service('MpsSvc') }

it 'should be enabled and running' do

expect(firewall).to be_enabled

expect(firewall).to be_running

expect(firewall).to have_start_mode('Automatic')

end

end

end

recipe

cookbook

server

How it Works

PS C:\> chef-client --audit-mode enabled

...

Starting audit phase

Audit phase exception:

Audit phase found failures – 0/1 audits failed

...

Running handlers:

Running handlers complete

Chef Client failed. 2 resources updated in 7.640621371 seconds

0 Audits succeeded

How it Works

Failures:

1) services Windows Firewall should be enabled and running Failure/Error: expect(firewall).to have_start_mode('Automatic') expected ...

Node State Overview

Audit Mode Demo

Questions ?