On-demand audits and remediate compliance issues in minutes
By taking a continuous compliance approach based on automated assessments against compliance and security rules expressed as code, Chef Compliance makes it possible to have audit results available at any time. Detect noncompliance, identify and prioritize issues, then quickly apply remediation across your entire fleet, saving time, redeploying engineering resources, and reducing risks associated with traditionally manual compliance inspections.
Now DevSecOps teams can enter an audit cycle knowing their exact compliance posture, rather than being surprised by auditors’ findings. What’s more, Chef Compliance helps demonstrate how your compliance posture has evolved and improved over time, giving auditors the confidence they need to make an accurate assessment.
Manual audits are imperfect and risky
Most organizations are subject to the rules of an ever-increasing number of regulatory regimes, while dealing with rapidly escalating endpoints and environments to test. No matter how much time and resources are applied to an audit cycle, manual processes can’t keep up with cloud scale and growing complexity, and represent unacceptable risk. Nevertheless, industry data, such as Verizon’s 2018 Payment Security Report, show that many companies subject to compliance regimes like PCI-DSS are still relying upon manual approaches.
For example, PCI Key Requirement 11, which scores companies on whether they are testing their security controls, is the most-failed requirement, with nearly a third of companies noncompliant with this rule. Lack of ongoing compliance validation is a major contributing factor to the relatively low level of PCI compliance worldwide, with only 52.5% of organizations achieved full compliance at interim PCI DSS validation in 2017.
Manual audits destroy organizational efficiency
Existing compliance processes involving manual inspection of environments during audit cycle are not only slow, they divert valuable engineering resources. The lack of automation results in a constant stream of one-off requests that take precedence over product development. These disruptive escalations, and the resulting context switching, are both inefficient and difficult to manage.
More troublesome than the chaos associated with manual compliance activities is the negative impact on engineering throughput. While one-off or manual approaches ultimately deliver auditors what they need, the quickly developed tools and scripts are often discarded and not reusable. Your developers and engineers devote critical time to output that is neither product oriented nor revenue generating.
Compliance Automation Reduces Risk While Helping Move Fast
Automated audits of production environments are a good step towards improved compliance. But when you “shift compliance left” and ingrain compliance assurance within the development process as automated tests, you not only are reducing risk, but accelerating the entire software delivery process. Instead of relying solely on scanning approaches just prior to deploying to production, Chef Compliance can help detect and correct compliance issues during development. This approach helps eliminate costly late-stage changes that could jeopardize delivery timelines, and helps prove to auditors the organization’s ability to enforce compliance policies by design.
The reams of data that need to be sifted through manually when delaying scanning until just before pushing changes into production simply adds to the inefficiencies, confusion and rework. Gathering data earlier in the process through testing — and in a continuous manner once in production —ensures you can answer auditors’ questions promptly, and instills confidence that the systems are secure and compliant throughout your product development lifecycle.