Reducing Audit Pain with Continuous Compliance

No one questions that audits are stressful, painful and time-consuming. But organizations — financial institutions especially — must conduct audits to ensure security and validate compliance regulatory requirements. As security threats increase or regulations change, entities in turn must conduct more audits. But how can a company stay competitive when so much time and resources are spent running audit after audit?

What Makes Audits So Painful?

Preparing for and satisfying an audit is often a multi-month process involving several teams and possibly hundreds of people, all who have different goals, skills, tools and communication mechanisms. Compliance teams know regulatory policies and work with documents. Security teams understand vulnerabilities but aren’t typically working with code. And DevOps teams work with code but they typically don’t go deep on the compliance requirements. These sets of different languages create an environment apt for misunderstandings, ambiguity, and mistakes.

Further exacerbating audit pain is the traditional approach to security evaluations. Typically, security and compliance checks are done at the end of the development process. These checks may be done by teams uninvolved in any of the previous steps and potentially use scanning tools notorious for delivering “false-positives”. Addressing compliance failures this late in the lifecycle also causes extensive rework, especially if exceptions aren’t managed and tracked appropriately. 

Traditional security approaches leave compliance checks as the last step before pushing to production.

The toughest pill to swallow about audits is even though so much time and effort is spent auditing and mitigating risk, in reality there’s zero visibility between audits. Audits instead are singular snapshots and provide little insight into the compliance state over time. Organizations likely follow a pattern where compliance levels spike during the flurry of work around the audit, then fall off quickly after the audit is completed, only to spike again with the next audit. The limited visibility between audits amounts to considerable risk that should be unacceptable, particularly for financial institutions.

Compliance as Code

In order to stay competitive and compliant, organizations must continuously and automatically assess and correct compliance. Managing compliance as code is the best way to implement continuous, sustainable compliance practices.

Code enables continuous compliance.

  • Code is scalable, even across complexity sprawl
  • Code fosters collaboration, as code is an unambiguous common language
  • Code shifts compliance left, allowing testing throughout the entire software delivery process
  • Code allows continuous visibility, monitoring on an ongoing basis to eliminate windows of risk

The benefits of continuous compliance driven by code are twofold. First, compliance as code makes it easy to maintain real-time and historical compliance status updates to appease scheduled and ad hoc audit requests. But, secondly, it allows organizations to fix issues before production, improving speed and lowering risk. We routinely see organizations reduce audit cycle times by over 90% after adopting compliance as code!

Chef’s Continuous Compliance Solutions

Chef enables continuous compliance with InSpec and Chef Automate.

InSpec is Chef’s open-source language for describing security & compliance rules that can be shared between software engineers, operations, and security engineers. Security, compliance and other policy requirements become automated tests that can be run against traditional servers, containers, and cloud APIs alike, ensuring consistent standards are enforced in every environment you manage, at every stage of development.

InSpec expresses security and compliance requirements as code to incorporate compliance continually in the delivery process.

Chef Automate transforms InSpec audits into web-accessible compliance reports, providing an aggregated overview of environments’ compliance status and trend graphs for tracking historical data. When combined with a library of preloaded compliance profiles, in-GUI agentless scans of server and cloud endpoints, and a fully auditable scan history for each system you manage, Chef Automate ensures you maintain visibility into the compliance of your entire estate.

A view into the Chef Automate dashboard.

Watch the Demo!

Learn more about how Chef helps reduce audit pain with continuous compliance in our recent webinar below. In the webinar, we demo how InSpec and Chef Automate easily align to frameworks such as FFIEC standards, and how you can transform your organization’s approach to audits through the adoption of continuous compliance.

Next Steps

Dan Hauenstein

Dan was the Vice President of Product Marketing at Chef, helping companies understand Chef so they can achieve speed and outpace the competition. He spent 20 years in strategy, marketing, and enablement roles in the enterprise software space at companies including Hortonworks, IBM, Micromuse, and McKinsey & Co. Throughout his career he’s tried to make complicated subjects easy to understand, mainly by boiling them down to three bullet points.