We believe Gartner provides very useful guidance for organizations struggling with balancing the need to deliver products and services to market faster while having to deal with regulations and compliance requirements that may overburden their teams. The report is titled 3 Steps to Ensure Compliance and Audit Success with DevOps, which Chef has made available as a complimentary download for you here: https://chef.io/gartner2020
Among their recommendations, Gartner suggests organizations “balance speed and risk by implementing compliance-as-code (CaC) tools to continuously detect and remediate compliance violations.” Chef InSpec is recognized among the commercial products and open-source software compliance automation tools in the report, and according to Gartner “these tools enable continuous compliance to provide organizations with built-in solutions for common industry-specific regulations like SOX, PCI-DSS, HIPAA, DISA-STIG and GDPR.”
As the title suggests, the report outlines three key strategies Infrastructure and Operations (I&O) leaders should consider to be successful with compliance and audits in this modern day of DevSecOps practices.
- “Collaborate to Optimize and Simplify the Required Controls” – where all stakeholders hold responsibility for security and compliance within the organization. The report mentions “I&O leaders should work with relevant leadership – including chief risk officers and chief audit officers – to document and approve the organization’s risk appetite and mitigation strategy.”
- “Balance Speed and Risk by Leveraging Automation and Implementing Compliance as Code” – where teams should implement compliance automation, especially where the report puts it “DevOps teams need to implement CaC [Compliance as Code] by extending automation and infrastructure as code (IaC) to run tests against environments and ensure compliance.
- “Continuously Assess Toolchains Against the Organization’s Security and Compliance Requirements” – where toolchains become the primary way of delivering a continuous process to make sure continuous compliance is reached. The report highlights that “CaC [Compliance as Code], IaC [Infrastructure as Code] and continuous configuration automation (CCA) are all valuable for security and compliance”.
Compliance as Code with Chef Effortless Infrastructure
A key piece to compliance automation success is the ability to validate early and often in the software development lifecycle. Instead of performing compliance scans during security review right before deploying to production, Chef InSpec, a part of Chef’s Effortless Infrastructure Suite, enables organizations to test continuously as they move from one stage to the next in their software delivery process.
Chef Effortless Infrastructure Suite offers visibility into security and compliance status across all infrastructure and makes it easy to detect and correct issues long before they reach production.
Chef Effortless Infrastructure Suite translates infrastructure configuration and compliance policies into code, helping enterprises detect (with Chef InSpec) and correct (with Chef Infra) potential security issues at scale.
Not only can Chef InSpec be used to test and detect compliance issues with Chef Infra as part of the Chef Effortless Infrastructure Suite, but it also works with other configuration automation tools, such as Ansible, to ensure your environments remain continuous compliant.
Chef Effortless Infrastructure Suite provides closed-loop detect-and-correct capabilities of compliance as code and unparalleled content for security validation, including compliance profiles for CIS Benchmarks and DISA STIGs.
Download the Gartner report 3 Steps to Ensure Compliance and Audit Success with DevOps, which Chef has made available complimentary here: https://chef.io/gartner2020
To learn more about Chef’s compliance capabilities visit https://chef.io/compliance.
And for more information on Chef Effortless Infrastructure Suite visit https://www.chef.io/products/effortless-infrastructure/
Gartner, “3 Steps to Ensure Compliance and Audit Success With DevOps, Hassan Ennaciri, George Spafford, 11 October 2019”
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.