compliance at velocity with chef
TRANSCRIPT
Compliance@VelocityJames Casey
The promise of the coded business
Transformation to high-velocity
Regulatory compliance frameworks
OFAC USA PATRIOT ActGramm-Leach-Bliley
ActRed Flags Rule
Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank
False Claims Act HIPAAEuropean Central Bank
regulationsPrudential Regulation
Authority
Financial Conduct Authority
HITECH PCI DSS
The conflict between compliance and velocity
The compliance challenge
The velocity challenge
The compliance cycle
Reconciling compliance and velocity
The automation cycle
Analyze
• Be clear about what the desired system outcome actually is
• Take regulatory requirements and enterprise policies into account
• Choosing the desired state and expressing it at an appropriate level of detail can be more challenging problems than writing the automation code itself!
Specify
• Closing the gap between specifying and implementing regulations requires an unambiguous expression of the requirement in human- and machine-readable form.
• A domain-specific formal language (DSL) can achieve this level of clarity and precision.
• Chef recipes, tests and compliance rules are ideal for the task.
Example
package 'apache2'
service 'apache2' do action [:start, :enable]end
Test
• Automated tests give confidence that the requirement has actually been met
• Writing the tests first give developers and system administrators a clear set of standards that must be met for compliant systems.
• Automated tests scale better than manual tests.
Example
Certify
• A separate certification step is not always required• In some cases, regulatory requirements or
organizational processes do require a final human sign off
• The better your tests, the shorter the certification step can be
• Be sure not to confuse certification and testing
The changing role of the compliance officer
A single accelerated cycle
Chef Analytics for Compliance
"Built-in controls support quality and empowerment initiatives, avoiding unnecessary costs and enabling quick response to changing conditions."
- Davis & Schiller, "IT Auditing: Using Controls to Protect Information Assets", 2nd Ed.
To Operate at Velocity, Teams Need:
A policy application & execution engine
Chef client/server
A system to deliver changes at speed,
safely, reliably, predictably
Chef Delivery
A system to visualize all changes
happening in real-time, whether
automatic or manual
Chef analytics: Insights
A system to enforce node state
and report on violations for compliance
reasons
Chef analytics: Compliance
Chef Insights
• Provides visibility into changes happening across your entire infrastructure
Chef Analytics for Compliance
• Make changes at speed while ensuring infrastructure is compliant with formal or informal policy
Integrations and Notifications
• Send data to external systems like Splunk
• Send arbitrary events to messaging or alerting systems
Chef Compliance
How it Works
control_group 'services' do
control 'Windows Firewall' do
let(:firewall) { service('MpsSvc') }
it 'should be enabled and running' do
expect(firewall).to be_enabled
expect(firewall).to be_running
expect(firewall).to have_start_mode('Automatic')
end
end
end
recipe
cookbook
server
How it Works
PS C:\> chef-client --audit-mode enabled
...
Starting audit phase
Audit phase exception:
Audit phase found failures – 0/1 audits failed
...
Running handlers:
Running handlers complete
Chef Client failed. 2 resources updated in 7.640621371 seconds
0 Audits succeeded
How it Works
Failures:
1) services Windows Firewall should be enabled and running Failure/Error: expect(firewall).to have_start_mode('Automatic') expected ...
Node State Overview
Audit Mode Demo
Questions ?