compliance at velocity with chef
TRANSCRIPT
![Page 2: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/2.jpg)
The promise of the coded business
![Page 3: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/3.jpg)
Transformation to high-velocity
![Page 4: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/4.jpg)
Regulatory compliance frameworks
OFAC USA PATRIOT ActGramm-Leach-Bliley
ActRed Flags Rule
Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank
False Claims Act HIPAAEuropean Central Bank
regulationsPrudential Regulation
Authority
Financial Conduct Authority
HITECH PCI DSS
![Page 5: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/5.jpg)
The conflict between compliance and velocity
![Page 6: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/6.jpg)
The compliance challenge
![Page 7: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/7.jpg)
The velocity challenge
![Page 8: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/8.jpg)
The compliance cycle
![Page 9: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/9.jpg)
Reconciling compliance and velocity
![Page 10: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/10.jpg)
The automation cycle
![Page 11: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/11.jpg)
Analyze
• Be clear about what the desired system outcome actually is
• Take regulatory requirements and enterprise policies into account
• Choosing the desired state and expressing it at an appropriate level of detail can be more challenging problems than writing the automation code itself!
![Page 12: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/12.jpg)
Specify
• Closing the gap between specifying and implementing regulations requires an unambiguous expression of the requirement in human- and machine-readable form.
• A domain-specific formal language (DSL) can achieve this level of clarity and precision.
• Chef recipes, tests and compliance rules are ideal for the task.
![Page 13: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/13.jpg)
Example
package 'apache2'
service 'apache2' do action [:start, :enable]end
![Page 14: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/14.jpg)
Test
• Automated tests give confidence that the requirement has actually been met
• Writing the tests first give developers and system administrators a clear set of standards that must be met for compliant systems.
• Automated tests scale better than manual tests.
![Page 15: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/15.jpg)
Example
![Page 16: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/16.jpg)
Certify
• A separate certification step is not always required• In some cases, regulatory requirements or
organizational processes do require a final human sign off
• The better your tests, the shorter the certification step can be
• Be sure not to confuse certification and testing
![Page 17: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/17.jpg)
The changing role of the compliance officer
![Page 18: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/18.jpg)
A single accelerated cycle
![Page 19: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/19.jpg)
Chef Analytics for Compliance
![Page 20: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/20.jpg)
"Built-in controls support quality and empowerment initiatives, avoiding unnecessary costs and enabling quick response to changing conditions."
- Davis & Schiller, "IT Auditing: Using Controls to Protect Information Assets", 2nd Ed.
![Page 21: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/21.jpg)
To Operate at Velocity, Teams Need:
A policy application & execution engine
Chef client/server
A system to deliver changes at speed,
safely, reliably, predictably
Chef Delivery
A system to visualize all changes
happening in real-time, whether
automatic or manual
Chef analytics: Insights
A system to enforce node state
and report on violations for compliance
reasons
Chef analytics: Compliance
![Page 22: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/22.jpg)
Chef Insights
• Provides visibility into changes happening across your entire infrastructure
Chef Analytics for Compliance
• Make changes at speed while ensuring infrastructure is compliant with formal or informal policy
Integrations and Notifications
• Send data to external systems like Splunk
• Send arbitrary events to messaging or alerting systems
![Page 23: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/23.jpg)
Chef Compliance
![Page 24: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/24.jpg)
How it Works
control_group 'services' do
control 'Windows Firewall' do
let(:firewall) { service('MpsSvc') }
it 'should be enabled and running' do
expect(firewall).to be_enabled
expect(firewall).to be_running
expect(firewall).to have_start_mode('Automatic')
end
end
end
recipe
cookbook
server
![Page 25: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/25.jpg)
How it Works
PS C:\> chef-client --audit-mode enabled
...
Starting audit phase
Audit phase exception:
Audit phase found failures – 0/1 audits failed
...
Running handlers:
Running handlers complete
Chef Client failed. 2 resources updated in 7.640621371 seconds
0 Audits succeeded
![Page 26: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/26.jpg)
How it Works
Failures:
1) services Windows Firewall should be enabled and running Failure/Error: expect(firewall).to have_start_mode('Automatic') expected ...
![Page 27: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/27.jpg)
Node State Overview
![Page 28: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/28.jpg)
Audit Mode Demo
![Page 29: Compliance at Velocity with Chef](https://reader036.vdocument.in/reader036/viewer/2022062514/55c03af1bb61eb63208b470a/html5/thumbnails/29.jpg)
Questions ?