Argus - Fotolia

Chef InSpec users wrestle with compliance as code

Learning the ins and outs of the Chef InSpec product is only half the battle for compliance as code. The thornier task for some enterprises is to bridge the gap between compliance expertise and DevOps execution.

CHICAGO -- Chef InSpec offers a framework to automate enterprise compliance policies, but converting compliance controls into code can require tricky organizational alchemy.

Chef InSpec and Chef Automate are often used in tandem to detect and remediate systems that have drifted out of compliance with regulatory and security mandates -- a bundle sold as Chef Compliance. For organizations that use these tools successfully, security and compliance as code have made life easier.

"We started our infrastructure automation process with InSpec, which gave us best practices that dictated how we built our systems," said Jonathan Williams, former CTO of Niu Solutions, a U.K.-based managed services provider that serves regulated industries and was acquired by CSI Ltd. in February 2018. "It improved application deployments and reduced unplanned work, the number of handoffs in the build process and time to delivery of new features."

Enterprises in regulated industries typically are on an annual audit cycle, and the compliance of their systems with regulatory mandates tends to drift between those audits. But that's become unacceptable, as the pace of business increases, Williams said.

"At the speed of the world today, annual audits are basically useless -- like cramming for an exam and then immediately forgetting everything you've learned once it's over," he added. "Compliance as code gives you a continuous view of your infrastructure, makes the associated work with it more steady and lowers operational stress."

Chef InSpec profiles need auditors and IT on the same page

While successful Chef InSpec deployments can reach this state of nirvana, other organizations find the journey there more art than science, particularly when it comes to converting the expertise of internal auditors and compliance officers into coded profiles.

"IT ops will code something into an InSpec profile, and then it's not what people in the audit and security teams were looking for -- there's sometimes an extra layer that gets lost in translation," said Anthony Cheng, technical specialist at CME Group, a financial services company in Chicago. "There's always some back and forth -- at least three or four rounds."

Chef InSpec has some prebuilt templates for certain regulatory standards, such as the Center for Internet Security (CIS) Level 1 benchmark. Cheng said he'd like to see more such templates for additional controls, such as the European Union's General Data Protection Regulation, which went into effect this week. Chef InSpec executives said the company plans more templates in future product releases.

But Niu's Williams and other Chef InSpec users said there's only so much Chef can do with preconfigured templates. The interpretation of rules will vary by organization, and Chef already maintains and updates thousands of compliance controls for InSpec, Williams said.

"One way to make yourself hated is to run all of the pre-canned controls available and show people all the work that has to be done to meet them all," he said. "Each organization has to focus on high-priority controls and figure out which audit tasks are taking the most time for the ops team."

At the Bill and Melinda Gates Foundation, a global philanthropic organization headquartered in Seattle, initial Chef InSpec scans based on the CIS Level 1 benchmark template returned overwhelming results, senior site reliability engineer Andrew Morris said in a ChefConf presentation here this week.

"Initially, we applied the CIS template, got the report back and went running back to our infosec team to say, 'OK, what are our actual controls?'" Morris said. "It turns out the CIS benchmark is really opinionated about things like password length, and we don't have quite those same requirements."

Still, there's got to be a happy medium, CME's Cheng said.

"There are so many different permutations of these laws, and it would help to have Chef do some more of the heavy lifting for us -- maybe 80% of the common denominators between different regulatory frameworks, while organizations do the last 20%," he added. "There should be some recommendations built in so that each and every customer doesn't have to hire an audit firm."

Chef Compliance dashboard
Chef Compliance pairs InSpec scans with Chef Automate dashboards.

Chef InSpec users share war stories

Chef InSpec gives you a method to automate compliance and security scans, interpret the results and know there's a failure. But how do you communicate that with the rest of your organization?
Gary Brightsenior infrastructure developer, Niu

Once IT shops get past the organizational agita and create Chef InSpec profiles, there are technical considerations as they deploy InSpec scans.

Chef Automate -- Chef's umbrella IT automation software, which includes InSpec integration -- uses its own data store based on open source data analytics utility Elasticsearch. Large organizations must set the right data retention period so the Elasticsearch database doesn't get too large, the Gates Foundation's Morris said. Enterprises that need to retain data indefinitely might have to deploy an external Elasticsearch cluster for InSpec.

Enterprises can also feel challenged as to how Chef InSpec fits into the broader DevOps toolchain at this stage. A common refrain among users of all Chef's latest products, which include Chef Automate, Chef InSpec and application automation software Chef Habitat, is the need for better integration between the vendor's offerings and with third-party software.

"Chef InSpec gives you a method to automate compliance and security scans, interpret the results and know there's a failure. But how do you communicate that with the rest of your organization?" said Gary Bright, senior infrastructure developer with Niu, who has joined CSI Ltd. since the acquisition. "That requires interaction with the rest of the tools in the ecosystem."

Discover Financial Services and Carfax Inc., both Chef InSpec users, built their own custom integrations between InSpec and ServiceNow's ticketing system to achieve that companywide communication of scan results. Chef and ServiceNow are working on a formal integration between the tools -- a project which was launched in preview this week -- but that's only one in a long list of third-party partners to which Chef needs to connect, Bright said. 

Further along on the roadmap, data analytics systems should integrate with Chef InSpec to help interpret scan results, Williams said.

Next Steps

Progress steers Chef InSpec toward CSPM

Dig Deeper on Systems automation and orchestration