Embed Size (px)
Citation preview
Why Compliance-as-Code Is the Single Most Transformative Step You Can Take Towards Enterprise DevOps
Consume my knowledgeas code!
01
Author
ContentsDressing for the Occasion
Why Is Compliance Important?
What Is Compliance-as-Code?
Why Compliance-as-Code?
Benefits of Compliance-as-Code
Clear the Path to the Cloud
How to do Compliance-as-Code: Introduction to InSpec
Why Is InSpec So Useful?
The True Security Challenges Revealed!
The End
Who Is Contino
02
03
05
06
07
10
11
12
13
14
15
Cliff AlmondPrincipal Consultant • Contino
’
02
Imagine a night club called ‘The Compliance’.
Everyone in your business wants to go and dance the night away ‘in compliance’.
But it has a very strict dress code.
Only a few people in your organization know what the dress code is, but they have no way of letting everyone else know! So when everyone turns up dressed completely inappropriately, they get turned away.
In the software delivery world, this is what it’s like trying to get to production without the proper controls.
Not going to happen.
In the enterprise, only the risk managers know what controls need to be embedded in your SDLC up front (AKA the ‘dress code’).
But this information is kept in a 40 page pdf, and is not accessible enough to be useful where it matters: at the very beginning of the software development lifecycle.
As a result, there will inevitably be delays and these will cost you money. Or you might end up releasing insecure software and being breached. This will also cost you money.
In this white paper, we’ll look at how compliance-as-code can help you to translate siloed compliance knowledge into simple code that can be scaled effectively across your company. We'll then show you why it’s the single most transformative step you can take to advance towards DevOps.
Then everyone not only knows the dress code, but might even get on the guest list.
It’s like trying to get into a fancy night club dressed like a clown.
THE COMPLIANCE
Dressing forthe Occasion
Why Is Compliance Important?
03
Highly-regulated industries must not only be compliant with many regulations, but be able to demonstrate compliance.
Do you know the status and configuration of every single machine in your estate, right now?
Can you easily scale how you gather and embed compliance requirements into your SDLC across your entire organization?
Does your security team know what your development team does?
Does your development team know what your security team does?
Imagine, a regulator turns up on your doorstep and raises a quizzical eyebrow.
“How have you enforced PCI/DSS in your coding standards for your payment processing applications in Portugal?”
Lower revenues and higher risk!
These questions are difficult to answer and they have serious real-world implications.
What are the implications of poor compliance?
Let’s take a closer look.
If you can’t provision a server or go to production because a compliance issue has suddenly arisen at the last minute, you are losing money.
By streamlining the compliance process, innovation and time-to-market are accelerated, and revenue is likely to increase accordingly.
The modern security risk to large enterprises is so high that you could lose an eye-watering percentage of your market capitalization.
Accordingly, in this era of cyber insecurity, one of the best ways of making money is not losing money. Thus, simply by not being Equifax, companies can make more money than the competition.
Innovations like compliance-as-code carry their own risks, but nothing compared to the risk of doing nothing!
’
Why Is Compliance Important?
04
Let’s look at money.
Now, risk.If you’re experiencing problems, it means that you didn’t bring the risk guys to the conversation early enough or in the right way.
How do you bring them into the conversation in the right way?
With compliance as code.
Read on!
05
If you could do one thing to minimize risk and maximize financial gains, it would be compliance-as-code.
Compliance-as-code means defining your compliance requirements in a human- and machine-readable language. Configurations can then be automatically deployed, tested, monitored and reported on across your entire IT estate.
It’s the equivalent – technologically speaking – of the shift from cassette tapes to mp3. Or from Polaroids to digital photography.
Going from patching machines manually to patching your entire estate automatically at the push of a button with pre-baked scripts, for example, is like moving onto a different plane of effectiveness altogether.
Let us tell you a story.
Once upon a time, there was a well-known insurance company. They had no idea about the level of patching
on 60,000 machines. They had 300 people about to embark on a 90-day patch cycle. A significant group of the machines were operating on Windows 2003, which is no longer supported by Microsoft. They were paying an agency millions to continue to make patches for these 2003 computers. We put InSpec, a compliance-as-code tool, on their machines and made the problem go away, overnight.
What other technical move gives you so much, for so little?
That’s not a risk. That’s a no-brainer.
This is a game-changer.
What Is Compliance-as-Code?
One InSpec test across 60,000 servers revealed more about their compliance and risk posture in a single day than their security team had learned in the last ten years.
’
06
Compliance-as-code allows you to create many opportunities at many stages of the software delivery lifecycle to not lose money.
It does this by creating spaces where you can guarantee that something is done for the sake of security or compliance.
This works at all points in the SDLC: during development (preventing known issues) or in production (reacting to emerging issues).
It takes all the rules and controls that you need to stay secure and compliant and drives them all the way through your entire company so that everyone knows what ‘done’ looks like.
Some innovators might not agree with what ‘done’ ends up looking like. But now they can at least have the right conversation in the right place – which is in code!
Then you know you are safe. If you’re lucky, once you’re safe, you might be able to go fast. And if you go fast, you might make some money.
But if you’re not safe you’ll be going nowhere fast. Probably at great cost!
Why Compliance-as-Code?
No more ambiguously-worded, 3-inch-thick compliance tomes – only precise code.
’
07
01
Using compliance-as-code you can know exactly what is deployed and with what configuration at any point in time. You also know what deviations any machines exhibit compared to standards and policies. The ‘acceptance criteria’ for any build can be built into your pipeline and recorded in your corporate log.
The above points mean that you know your risk exposure at any time.
You also have a historical record of everything that has happened across the delivery lifecycle and can use this to provide anything that regulators could ask for.
consume compliance rules that exist in a language they can use (code), they can deploy more quickly and without unnecessarily bothering the security guys, who are free to press on with more difficult challenges.
Benefits of Compliance-as-CodeLet’s get nice and specific about what compliance-as-code actually can bring to your organization.
Know exactly what’s going on across your IT estate at all times and report this immediately
02
Once security teams have done the (admittedly tough!) work of translating their enormous compliance binders into scripts and templates, they can scale properly across the organization because their concerns are baked into policies.
Once development teams are given the freedom to easily
Help both risk and development teams do their jobs better and faster
03
Compliance-as-code helps enterprises to articulate what it means to go to production.
When everyone knows what ‘done’ looks like and what the state of the delivery pipeline is, the path to production has been cleared. There are zero surprises awaiting the development team and, if they’ve done their job properly, it’ll get through.
Demystify how to go to production
08
04
Once production has been demystified, making changes suddenly becomes a non-event.
You spec out the requirements, write the code and deploy it safely.
Say there was a zero-day vulnerability that required a change in policy or standards. Devs can update the Ansible or Chef script and now identify vulnerable machines. You can subsequently push fixes through the pipeline a lot faster because security standards are integrated into business requirements.
05
Security experts are thin on the ground.
Your security experts should not be wasting their time patching machines. They should be concentrating on really difficult, scary questions that require real expertise and can’t be solved by writing automated scripts.
Automate the low-hanging fruit and you turn your security team from a disciplinary function into an auditing function. Security-as-a-service, almost!
All of the above translate into concrete business objectives:
Stay safe at speed and scale
Reduce the cost of managing, auditing and ensuring compliance
Generate data for audits much more easily and quickly
Accelerate time-to-market
Make change a non-event
Help subject matter experts (SMEs) to add 10x more value
06
It doesn’t matter how fast you code if no one knows the proper security process.
Compliance-as-code takes the tightest delivery bottleneck (reading the 40 page compliance pdf) and makes it instantly scalable by translating it into automated scripts.
Scale the biggest bottleneck to security: making standards easy to consume
We can help you to accelerate strategic digital transformation projects while upskilling your teams in modern, cloud-native ways of working.
Find out more: contino.io
Need to AccelerateYour Digital Transformation?
’
10
Clear the Path to the CloudGoing to the cloud any time soon?
Here’s something that we have learned from nearly 100 cloud transformation projects.
(It’s a secret. So don’t tell anyone else.)
The application is code.That can be migrated (maybe with a bit of refactoring).
The infrastructure is code. You can spin up the infrastructure you need as code as an Amazon Machine Image.
Still in that 40 page pdf on your Intranet.
But once your controls are translated into code…everything is code!
The final constraint is freed! And the path to the cloud is clear.
The controls that validate the whole thing?
The biggest blocker to migrating to the cloud is your controls!
Say InSpec reveals that your servers aren’t up-to-date.
A potential way to ‘remediate’ if you do have drift is to use the same agent to run this command:
`yum update -y
This then updates the packages to the latest available in the repository.
And voila. You’re compliant.
11
How to do Compliance-as-Code: Introduction to InSpecSo how do you get started with compliance-as-code?
You could use InSpec.
InSpec is an open-source testing framework that lets you simply specify compliance controls as code and apply these to all your systems.
It turns giant spreadsheets of PCI/DSS compliance (for example) into human-readable code!
For example, the few lines of InSpec code below automatically check the patch level of all your linux servers.
You can have every machine in your estate run this code every 30 minutes and it will compare what is available in the repositories (yum) to what is installed and lets you know when you have drift.
Source: https://github.com/dev-sec/linux-patch-baseline
```control 'verify-patches' do impact 0.3 title 'Operating system is up-to-date' describe linux_update do it { should be_uptodate } endend```
`yum update -y
12
’
You can do one InSpec test across 60,000 servers and learn more about your compliance and risk posture in a single day than your security team learned in the last ten years.
Why Is InSpec So Useful?InSpec automates the easiest part of compliance: checking machines, installing patches, etc.
This frees you up to do the harder part: choosing how the machines should be configured to be compliant.
Humans are then doing what humans are good at, and machines are doing what machines are good at.
The result? Like our friends a few pages ago:
’
13
Then the True Security Challenges Are Revealed!Start implementing compliance-as-code and you’ll fix many problems (some of which you didn’t even know you had). What’s more, they’ll stay fixed.
Then what?Well, your teams will no longer spend their time trying to optimize now-unnecessary manual processes and use their newfound temporal wealth to tackle the true security challenges that will deliver real results over the long haul:
How do you create an effective security culture?
How do you get one step ahead of upcoming regulations?
How do you convince teams that security is everyone’s responsibility?
What governance requirements need to be embedded into business processes?
What skills do you need? How do you get them?
Revealing and solving these difficult, subterranean problems will bring you much further forward compared to small, local tweaking of dials.
Then you’ll find that, instead of trying to figure out how you can scan individual machines a few minutes faster, your
team is using their time to (say) analyze the security implications of migrating your legacy applications to that Kubernetes thing that everyone is banging on about.
’
Get in touch to find out how we can help you make the business case for compliance-as-code and come up with a strategy to prove it.
We find that a well-organized lighthouse project is the perfect way to prove the concept of innovations like compliance-as-code.
These projects provide enough data to confirm the business case for change and mitigate the risk of transformation delays and burnt investment.
Lighthouse projects act as a beacon for future capabilities and provide decision makers with a solid foundation on which to scale the solution across the wider business.
The EndLet’s summarize what we’ve learned:
The WhatCompliance-as-code turns complex governance requirements into human-readable code. This means that it is much more easy to consume by your development teams (and everyone else, for that matter).
The WhyThis helps you to:
The HowIt goes without saying that you need to use a compliance-as-code tool like InSpec.
But it’s harder than that, isn’t it. The real change lies in your business culture.
You need buy-in from above and from below to ensure success.
Embed security and compliance requirements into your delivery pipeline
Demystify the path to production as well as to the cloud
Not lose money
Maybe even make more money
Contino has helped over 100 highly-regulated enterprises to adopt innovative approaches to software delivery, including Allianz, HSBC and Barclays.
Read Customer Stories
15
Enterprise DevOpsWe help you to adopt a DevOps operating model to fight digital disruption by transforming your people, process and technology.
Cloud ComputingOur cloud migration and adoption services help you avoid common pitfalls and accelerate your journey to cloud innovation.
Cloud-Native ApproachesWe use microservices, containers, serverless platforms and other cloud-native approaches to get the most out of DevOps and cloud-based operating models.
Security and ComplianceWe use DevSecOps approaches to help you codify security, regulatory and compliance controls into your software delivery pipeline.
Contino works with regulated enterprise clients to build and grow the capabilities necessary to deliver high quality, secure and compliant software change at speed and scale.
What We Do
200+ People
The deepest pool of DevOps and cloud transformation talent in the industry
7 Global Offices
We can scale rapidly to support diverse client requirements across the globe
100+ Engagements More DevOps transformation executed than any other professional services firm
$30m USD Funding Backed by VC Columbia Capital who are supporting our rapid global growth
Our Clients
contino.io
continohq
contino
