Chef Blogs

ChefConf CFP Track: Compliance Automation

Mandi Walls | Posted on | ChefConf | community

ChefConf is the largest community gathering and educational event for teams on the journey to becoming fast, efficient, and innovative software-driven organizations. In other words, you and your team! We want to hear from you!

ChefConf 2019 will take place May 20-23 in Seattle, Washington, and we want you to present! The ChefConf call for presenters (CFP) is now open. One of the tracks you might consider proposing a session for is the Compliance Automation track.

Compliance Automation

Every system in your environment is subject to some sort of compliance controls. Some of those controls, such as PCI-DSS, HIPAA, and GDPR, may be prescribed by an external regulatory body. Other controls may be prescribed by teams within your organization, such as the InfoSec team. There may even be controls that you do not think of as “compliance”, such as a control or policy that states agents should receive updates daily. Defining, modeling, and managing these controls as code is the only way to efficiently and continuously audit and validate that standards are being met.

Assessing Current State

One of the first steps to automating an environment is getting a handle on the current state of that environment. InSpec is a human-readable language for specifying compliance, security and other policy requirements. Capture your policy in InSpec tests and run those tests against remote nodes to easily assess whether those nodes are configured properly. Running these tests across the entire fleet is as easy as adding the audit cookbook to your nodes’ run lists. The chef-client will send InSpec test results as well as lots of information about the node (such as ohai attributes) off to Chef Automate. From there, you will be able to quickly detect and assess which nodes require intervention or remediation and which are compliant with the prescribed policies.

Presenting about how InSpec helped you with your compliance needs can be extremely powerful to those just starting their compliance journey. For example:

  • How are you running InSpec tests against your fleet? What inconsistencies have you discovered?
  • Are you continuously checking your compliance status with the audit cookbook?
  • How has InSpec impacted your mean time-to-detect issues?
  • Has InSpec helped you with a large platform upgrade or migration?
  • Has InSpec had an impact on your audit practices?

Compliance Profiles

Chef Automate ships with over 80 compliance profiles, many based on the Center for Internet Security (CIS) Benchmarks. The community is sharing compliance profiles on the Chef Supermarket. You may be writing your own compliance profiles to capture the unique requirements for your business and infrastructure. As a community, the practices for managing compliance profiles are still emerging. For example, profile inheritance makes it easy to share profiles across your fleet and even across the community. Profile attributes allow authors to abstract the data associated with a profile. Metadata in controls, such as impact, tags, and external references provide additional context for deciding what to do when there is a failure.

  • How is your team collaborating on profile development? Have you defined any practices around repository layout, profiles per node, required metadata, etc?
  • Which profiles are you using from Chef Automate or the Supermarket? How are you sharing custom profiles?
  • Are profiles enabling better collaboration between various parts of your organization? E.g., InfoSec and Operations, Development and Security. Are stakeholders better able to share and contribute to requirements?

Custom InSpec Resources

InSpec ships with a myriad of resources for asserting the state of your infrastructure. When these resources aren’t enough, or you want to share a resource with your colleagues for use in multiple profiles, you may find it necessary to create custom resources. These resources may cover components not available with the standard resources or may be a way of creating more clear compliance profiles.

  • What custom resources have you developed?
  • How do you write a custom resource?
  • What are some of the pitfalls and benefits of writing custom resources?

Local Development

InSpec is certainly used to model and assess compliance controls. However, it also leads a double life as a very powerful framework for modeling integration tests for infrastructure code. Tools like Test Kitchen make it easy to spin-up local infrastructure for testing and validating the results of executing that code. Kitchen-inspec is a plugin that executes InSpec tests during the validation phase of the Test Kitchen lifecycle. This integration testing is done before any code changes are submitted to the production environment. Of course, there are other frameworks that allow for similar integration testing, such as pester, BATS, or Serverspec.

  • How are you running integration tests for your infrastructure code?
  • Are you using compliance profiles during your integration testing?
  • How do your integration tests compare to your compliance profiles?
  • Why did you migrate to InSpec for integration tests?
  • Are your application developers also encouraged to use InSpec profiles when creating new services and features in their projects?

To the cloud! Beyond machine configurations

Assessing and asserting the state of nodes in your fleet is important but perhaps you also have policies that govern how you configure and consume the cloud. These policies may govern how to manage things like security groups, user authentication, and resource groups. In addition to cloud concerns, you may have policies that describe the way applications should be configured. Do you have policies that cover the configuration of your database servers, application servers, or web servers? InSpec is one way to capture these policies as code and regularly assess the state of your cloud and applications.

  • What security policies have you put in place to manage cloud usage?
  • How are you visualizing the state of your cloud compliance controls?
  • What application configurations are you validating with InSpec?

Getting Started

Automating compliance is a relatively new practice and the tools available are quickly evolving. How are you getting started with compliance automation? Have you started with out-of-the-box profiles or custom profiles? Simple integration tests or full compliance profiles? You do not need to be an expert to help others get started! Your experiences getting started with compliance automation are worth sharing, even if as cautionary tales. ChefConf is a great place to help fellow community members get started on the right foot.

  • What do you wish you knew when you first got started?
  • How are you helping people across your organization get started with compliance automation?
  • Which use cases are well-suited for getting started with compliance automation?

DevSecOps

DevOps has always been a cultural and professional movement, not a tool. Of course, there are tools, like git and Chef, that help advance the practices of the movement. Tool choices reinforce and amplify the culture we have. Compliance automation allows us to welcome more people into the DevOps community. Automation increases speed and efficiency while simultaneously decreasing risk in our environments. Sometimes people approach this automation with a bit of skepticism. The role of information security can be fundamentally changed by embracing the collaborative nature of DevOps and the automation of security practices.

  • What challenges or successes have you had welcoming security professionals to your DevOps practices?
  • How is the role of security changing in your organization?
  • How have your practices for handling zero-day vulnerabilities changed?
  • Have you had a large public event that caused you to reevaluate your approach to security?

Other Tracks

The ChefConf CFP is open for the following tracks:

Share Your Story

Your story and experiences are worth sharing with the community. Help others learn and further your own knowledge through sharing. The ChefConf CFP is open now. Use some of the questions posed here to help form a talk proposal for the compliance automation track.

Submit your talk proposal now! The deadline is Friday, January 11, 2019 at 11:59 PM Pacific time.