Building an automated and compliant cloud environment with Chef & CTP

Cloud Technology Partners is a Chef Professional Services Partner with expertise in regulatory compliance for cloud. They have been an amazing partner for Chef, working with our shared customers to ensure they are successful in executing on their respective goals. Sahil Sethi, CTP’s Director of Ecosystem and Channels, recently shared with us some of the ways that InSpec in particular has been transformative for his customers. You can watch the full video interview below.

Compliance as Code

InSpec provides IT professionals with a simple to use language for defining and auditing their requirements for infrastructure and applications to ensure that even as systems change over time, they are always in compliance with those requirements. With Chef Automate, those audits can be visualized across an organization’s entire estate. Whether an environment consists of dozens, or tens of thousands of systems, Chef Automate is where you can go to find an aggregate of their overall compliance — updated with every change, so you always know your current state.

“…there are three ways that clients approach compliance”

A key point that Sahil calls out in our conversation is that “compliance” can mean entirely different things to different organizations. However, regardless of the specific needs of any individual organization or group, each needs to first define the requirements of their business, and validate whether those requirements have been fulfilled. It’s that base commonality that makes InSpec versatile enough to serve a broad range of compliance goals. To paraphrase Sahil, he breaks those groups of clients down to:

Clients with no specific requirements

Even without auditors coming to call, every organization is responsible for ensuring their systems are secure. As Sahil mentions, many cloud providers, like AWS and Microsoft Azure, will publish security best practices to help guide organizations in achieving that end. Between the open-source compliance profiles available on the Chef Supermarket, and InSpec’s cloud modules, it’s easier than ever to start implementing those practices!

Clients with regulatory requirements

In certain industries, organizations must comply with compliance frameworks like HIPAA, PCI or SOX. Each of these frameworks have detailed requirements that must be met, and Chef Automate customers have access to the CIS Benchmarks to help start them off with best practices defined by the Center for Internet Security.

Clients with needs beyond regulatory frameworks

For some, even the requirements detailed in auditing frameworks aren’t stringent enough for their needs, and they’ll need to enforce their own policies above and beyond what their auditors require. This is where the flexibility of InSpec really shines. The DSL provides a ton of helpful resources to ensure that any requirement you can define can be audited with minimal coding experience.

Next Steps

Nick Rycar

Nick is a Technical Product Marketing Manager working out of Chef HQ in Seattle. When he's not busy preparing product demos, he's torturing his colleagues with terrible puns and needlessly esoteric pop-culture trivia. Mostly he's just another confused New York transplant in the Pacific Northwest.