Everyday Compliance with InSpec

As National Cyber Security Awareness Month comes to a close, it’s a great opportunity for all of us to make security and compliance part of our daily routine. I know, I know…no one thinks about “compliance” and gets excited. However, taking advantage of tools like InSpec can help us conquer everyday compliance with ease.

Understanding The Terminology

One of my favorite features of InSpec is its language; it’s human-readable so non-technical individuals can participate in the creation of profiles, but it’s also executable and powerful enough to allow for robust compliance automation. Let’s define some commonly-used compliance terms and how they relate to InSpec.

  • control: a business practice, policy, or procedure used to minimize risk. InSpec provides a language to codify your controls in a way that technical and non-technical people can understand.
  • test: A set of checks and validations whose outcome is used to determine the status of a control. InSpec executes the tests for each control to determine if the control is being satisfied correctly.
  • profile: A group of controls and tests. When InSpec scans a host for its compliance status, it executes a profile.
  • audit: An examination, usually be a third party, that determines the current compliance status against a given set of controls. The reports generated by InSpec and Chef Automate can be entered as evidence for an audit.

By codifying controls and tests inside of an InSpec profile, the steps necessary to “be compliant” can be mutually understood by both the auditors and the auditees.

Compliance Isn’t Just About Regulatory Requirements

Perhaps your organization has a rule about password age and length. Ensuring that all user accounts adhere to that rule is compliance! InSpec is a great way to document these rules and also ensure that they are followed. Because InSpec can execute multiple profiles, it’s easy to place your company’s rules in one profile and controls for a particular regulatory requirement in another profile.

All too often people think of “compliance” as something that must be adhered to because of a government regulation. Your organization’s rules are just as important to codify and assess regularly.

Don’t Wait for the Audit

Once a profile has been created, it’s time to put it to use. Using InSpec to scan a production fleet during audit time is a logical choice and will certainly help reduce the amount of time spent on audit tasks. However, InSpec is easy to integrate into pre-production environments, as well.

Profiles can be stored in a variety of locations, including Chef Automate’s built-in profile store, making it easy to share profiles with others. Using a tool like Test Kitchen with the kitchen-inspec plugin, developers can test their applications and systems against the very same profiles used to scan production before the code even leaves their workstation.

Test Kitchen and InSpec also operate wonderfully in a delivery pipeline. Embracing a mindset of “nothing ships to production unless it passes compliance” will help ensure that once your compliance tests are green in production, they stay green.

Your Auditor is Your Partner

Raise your hand if you look forward to when your auditor visits. Hmmm, no hands raised… just as I thought.

It’s time for us to appreciate the auditor. Besides helping with all the necessary paperwork and processes to officially complete an audit, they provide something even more valuable: the experience of routinely performing these audits and deciphering the requirements. Many government compliance documents are opaque, making it difficult to understand how to properly satisfy the requirements. Enlist your auditor’s assistance and gain a shared understanding of each control. Once you have that, it becomes considerably easier to automate the audit.

Everyone is Responsible for Compliance and Security

Guess what? Even if you’re not the company’s Chief Compliance Officer or a member of your organization’s security department, security and compliance are YOUR responsibility. In fact, it’s everyone’s responsibility! Application developers have an obligation to build applications that protect sensitive information and don’t erode an organization’s compliance posture. Team members ranging from systems engineers to data center operators have to participate in periodic audits. In between audits, they follow and refine procedures to make the next audit a bit easier.

And if you’re in sales or marketing, you’re not off the hook either! As a representative of your company and your organization, you are another critical set of eyes on the lookout for situations that aren’t quite right which may be indicative of a more serious issue brewing.

We all have our part.

Let’s Get Started

Audits can be scary. Compliance can be annoying. However, they serve a critical purpose to keeping your company, your data, and your customers safe. InSpec and Chef Automate can help lighten the audit load and allow you to embrace a culture of “compliance first” without reducing the flexibility needed to delight your customers.

There are a number of ready-to-run profiles available on the Chef Supermarket that you can try right now. Download and install the ChefDK, and then run inspec supermarket exec dev-sec/linux-baseline --target ssh://[email protected] -i /path/to/ssh/key --sudo and experience how easy it is to use InSpec.

For a guided hands-on experience with InSpec, try the Compliance Automation track on Learn Chef Rally. You’ll learn the basics of InSpec, how to use community compliance profiles, and more.

Adam Leff

Former Chef Employee