What is Compliance as Code? The New Frontier in Compliance Automation

There is no doubt that DevSecOps practices accelerate the pace of digital transformation, but those same practices also introduce new challenges to maintaining compliance. Traditional DevOps compliance approaches risk slowing software delivery, exacerbating audit pain, and leaving organizations with an incomplete view of compliance posture.  

Fortunately, Code serves as a common source of truth, shared as a common language among the teams and can be used to codify infrastructure configuration, security and compliance.  Compliance automation through the use of policies as code is vital for organizations to be successful in continuous compliance.

What is Compliance-as-Code? 

The codification of your compliance controls to automate their adherence, application, and remediation is known as compliance as code. 

It includes the tools and practices that enable you to incorporate the three key compliance activities: prevent, detect, and remediate. 

  1. Avoid non-compliance by automatically verifying that planned changes are compliant.
  2. Detect non-compliance through automated estate scanning and notify stakeholders when offending infrastructure is discovered.
  3. Correct non-compliance by implementing immediate infrastructure changes to ensure the highest level of compliance on a scale. 

Compliance-as-code tools typically function by allowing compliance stakeholders to specify how IT resources must be configured to meet compliance controls. Then, the tools automatically scan or monitor the live IT environment and plan changes for non-compliant infrastructure. Furthermore, compliance-as-code tools frequently include functionality that enables them to automatically modify resources based on pre-defined rules to bring them to compliance. 

Benefits of Compliance as Code Approach 

A DevOps compliance -as -code approach removes manual time-consuming steps while minimizing the potential for human errors and enhances consistency, traceability, auditability and scalability. With this consistency and automation organizations can reduce variability between audits providing valuable, consistent reports and eliminates delays while maintaining consistent compliance.  

With this approach rather than being perceived as slow and ineffective, InfoSec teams can instead enable high-velocity continuous compliance by making pre-approved, easy to consume automated processes for development and operations that ensure security is built into every part of the software development cycle.  

Use Cases of Compliance as Code 

As the size of your fleet grows, so does the possibility of non-compliance. The use-cases that will have the greatest impact on the compliance of your fleet are determined by three factors:

Use Cases of Compliance as Code

The following are the use-cases to consider when it comes to managing compliance of as code: 

Use Cases of Compliance as Code

Learn More About Compliance as Code 

To understand how compliance as code plays an impact in DevOps practices and how organizations can work to maintain their infrastructure in continuous compliance, we invite you to watch the Roundtable: Compliance as Code webinar.

Other Compliance as Code Resources: 

Related Resources

Whitepaper: Buyer’s Guide for Continuous Compliance Solutions in DevOps

Alan Baptista

Alan is a Product Marketing Director at Chef, working remotely from Southern California. His career of over 20 years has been in product marketing, sales operations and international business roles for enterprise software, telecommunications and government space at organizations such as CA Technologies, Experian, InterVoice and US Commerce Department. When not helping customers tell their success stories he enjoys traveling and exploring Sous-Vide cooking and BGE Grilling.