Chef Infrastructure Management
Chef Infrastructure Management ensures configurations are applied consistently in every environment with infrastructure management automation.Learn More
Make audits painless with a continuous compliance approach that provides up-to-date status across your entire estate (on-premises or in the cloud).
Most organizations are subject to the rules of an ever-increasing number of regulatory regimes, while dealing with rapidly escalating endpoints and environments to test. No matter how much time and resources are applied to an audit cycle, manual processes can’t keep up with cloud scale and growing complexity, and represent unacceptable risk. Nevertheless, industry data, such as Verizon’s 2018 Payment Security Report, show that many companies subject to compliance regimes like PCI-DSS are still relying upon manual approaches.
For example, PCI Key Requirement 11, which scores companies on whether they are testing their security controls, is the most-failed requirement, with nearly a third of companies noncompliant with this rule. Lack of ongoing compliance validation is a major contributing factor to the relatively low level of PCI compliance worldwide, with only 52.5% of organizations achieved full compliance at interim PCI DSS validation in 2017.
Existing compliance processes involving manual inspection of environments during audit cycle are not only slow, they divert valuable engineering resources. The lack of automation results in a constant stream of one-off requests that take precedence over product development. These disruptive escalations, and the resulting context switching, are both inefficient and difficult to manage.
More troublesome than the chaos associated with manual compliance activities is the negative impact on engineering throughput. While one-off or manual approaches ultimately deliver auditors what they need, the quickly developed tools and scripts are often discarded and not reusable. Your developers and engineers devote critical time to output that is neither product oriented nor revenue generating.
Automated audits of production environments are a good step towards improved compliance. But when you “shift compliance left” and ingrain compliance assurance within the development process as automated tests, you not only are reducing risk, but accelerating the entire software delivery process. Instead of relying solely on scanning approaches just prior to deploying to production, Chef Compliance can help detect and correct compliance issues during development. This approach helps eliminate costly late-stage changes that could jeopardize delivery timelines, and helps prove to auditors the organization’s ability to enforce compliance policies by design.
The reams of data that need to be sifted through manually when delaying scanning until just before pushing changes into production simply adds to the inefficiencies, confusion and rework. Gathering data earlier in the process through testing — and in a continuous manner once in production —ensures you can answer auditors’ questions promptly, and instills confidence that the systems are secure and compliant throughout your product development lifecycle.
With InSpec, you have a real-time view of how you’re performing. When you come to that audit exam you already know if you’re passing or not. In fact, the event of the audit is a simple step of printing the output.