Unlocking Speed and Efficiency with Compliance as Code - InformationWeek
IoT
IoT
DevOps
Commentary
7/13/2017
07:00 AM
Nathen Harvey
Nathen Harvey
Commentary
100%
0%

Unlocking Speed and Efficiency with Compliance as Code

A key element of DevOps is the ability to build security and compliance into the application process -- continuous compliance.

Are organizations effectively tackling the costly cybersecurity threats that are plaguing today’s data centers? It depends on who you ask. Companies across varying industries -- Starbucks, Aetna, JPMorgan Chase, Home Depot and more -- are working together to establish shared principles that better assess company preparedness when it comes to cyber threats. New York state has instituted first-of-its-kind regulations to protect consumer data. The EU General Data Protection Regulation becomes effective in 2018 in an effort to enforce responsible data governance. We’re certainly making headway.

But at the same time, current security processes do not enable companies to keep pace with the speed and quantity of hackers, and the growing number of compliance regulations.

Everyone wants to be safer, but regulatory burdens and compliance add extra drag on the system, and controls that live in notebooks, spreadsheets and PDFs are difficult to verify. Being compliant often comes at the detriment of speed. In order to marry the need for speed with the need for security, companies need to manage compliance as code.

Consequences of slow security

According to the Data Breach QuickView report, 2016 saw more than 4,000 data breaches, a record high. And it’s not just hackers costing large enterprises money in the security department. The recent three-day IT outage at British Airways lost the airline $20 million in cancelled flights and an estimated $105 million in potential sales that were never made.

Scanning production systems for compliance, instead of continuously testing against security and compliance measures throughout the entire development process, means organizations find violations when it’s already too late. This mistake is expensive, as shown by British Airways, the recent WannaCry attack and the recurrence of Petya, among countless others.

With financial repercussions looming, it’s no wonder companies see the value in proper compliance checks. However, assessing the state of compliance can be a challenge. According to a recent Chef survey of IT practitioners and decision-makers, 22% of respondents test compliance inconsistently and 23% don’t test at all. What is causing this lack of action?

In working with various organizations, I’ve observed that today’s audits are events that are planned for and require significant time and effort for everyone involved. It can be difficult to directly tie the effort involved in these audits to real customer- and business-value. As such, an audit is seen as distracting and taking away too much time from the “real work” at hand.

[Nathen Harvey and other DevOps experts headed up the DevOps track at the recent Interop ITX conference.]

Others seem to have noticed this too. Based on a Gartner report, 81% of IT operations professionals say they believe information security policies slow them down. Add to this Chef’s finding that faster deployment is the number one priority to boost overall performance, and it’s clear that improving the speed within the security and compliance vertical must be addressed.

The naive approach is to increase the time between audits to alleviate some of this pain, just like we used to deploy less frequently because it was so difficult.

Before we moved faster, every deployment was a significant event that included a lot of ceremony: pre-release announcements and meetings, all-hands-on-deck while the updates are deployed, long hours spent working outside of normal business hours. As we move towards continuous deployment, these “events” become a normal part of our everyday work.

Image: Shutterstock/garagestock
Image: Shutterstock/garagestock

Continuous compliance is the solution

Chef found 73% of survey respondents which have regulatory standards to follow wait until after development work has begun to assess compliance. When speed and regulations are imperative for building and deploying apps, it’s a risky oversight to leave compliance and security to the end.

With continuous compliance, regulations are converted into code and security assessments are completed as part of the normal development workflow. Running security assessments becomes as common as running unit tests. This reimagined workflow enables teams to know, at any point, if a security vulnerability is present, allowing for a more proactive approach to security assessments.

While this process is not a safeguard against cyberattacks like Heartbleed or even internal outages as experienced by British Airways, it does allow for faster remediation -- we are talking hours instead of weeks and months -- ensuring end-users, and the bottom line, are less impacted. In the event a breach happens, it’s estimated the average dwell time before identifying a network breach is approximately 200 days. Do you think your customers would find it acceptable if you sat on a problem for more than six months before attempting a fix?

Continuous compliance provides a better solution against security issues and fosters an environment in which developer, infrastructure and security teams work together. Take a look at how your team is implementing security measures and compliance testing. Can you benefit from a process that is faster and more secure?

As Vice President of Community Development at Chef, Nathen helps the community whip up an awesome ecosystem built around the Chef framework. He also spends much of his time helping people learn about the practices, processes, and technologies that support DevOps, Continuous ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll