DevOps shops size up security and compliance as code

Source – techtarget.com

IT pros in DevOps shops want compliance and security to be the next things they automate, but people with the right skills are tough to find.

AUSTIN — As enterprise IT pros gain experience with DevOps and infrastructure as code, they also begin to assess whether code can help with IT security and compliance problems.

Products such as Chef Compliance and InSpec are on the minds of DevOps pros at ChefConf here this week. InSpec is an open source testing framework that performs automated compliance checks, and Chef Compliance is used to manage InSpec among groups of servers.

InSpec is easier to bring on board than other emerging pieces of the Chef platform, Habitat and Automate, because of a gap in the market for security and compliance scanning tools, said Michael Glenney, solutions architect for New Context, a San Francisco based consulting firm.

Glenney called InSpec “an easy sell” to his clients because it offers a common language for security, developers and ops to use to implement compliance controls, while other tools can be “a clump of XML,” he said.

Singing the same old DevOps skills blues

The challenges for security and compliance as a code are similar to those that DevOps teams face overall — with the need for IT skills transformation topping the list.

For example, translating human-readable regulatory documents into machine-executable code is still largely human-driven. InSpec has a plugin for the Security Content Automation Protocol (SCAP), which converts human-readable documents into code. But there are some things SCAP can’t capture, such as non-technical controls for best practices, said John Ray, senior consultant for Shadow-Soft, a systems integrator in Atlanta, in a presentation.

SCAP doesn’t correctly map every compliance control parameter to Chef Compliance reports. Ray provided an example in which impact mapping scores didn’t correspond to Chef Compliance severity codes.

Users also are required to ingest and evaluate controls and work with business stakeholders to determine their effect in a particular company’s environment. Then they must create a specification and finally write the InSpec code that will execute compliance checks, Ray said.

Finding IT pros with the right skills to perform such tasks is a challenge — even for large enterprises.

Verisk, a large data analytics firm in Jersey City, N.J. that uses AWS OpsWorks for Chef Automate, has its eye on InSpec, and is entitled to use InSpec and Compliance Server with its OpsWorks license. InSpec would help integrate compliance rules and regulations with diverse data sets the company uses, said Verisk CTO Eric Schneider.

But Verisk also has yet to dig into the technical details of how it will deploy InSpec.

“We wish we could wave a magic wand and people who knew how to use these tools already would just appear,” said Verisk cloud architect Michael Ryan.

Wanted: documentation and training

InSpec could also be valuable for Ray Crawford, DevOps manager for Trek Bikes, a bicycle and cycling product manufacturer and distributor in Madison, Wis. Crawford’s goal is to implement security and compliance as code in the development environment, establishing sound security and compliance practices ahead of the app-delivery pipeline.

“I’m the ops guy; I’m the one who’s either hacking it to make it work and get it over the finish line [into production], or I’m the one telling them ‘no’ on behalf of Infosec,” Crawford said. “So it’s me that gets a black eye — not Infosec.”

With a tool such as InSpec, IT security pros, not DevOps teams, could write and maintain the infrastructure’s security posture and compliance.

But Trek’s staff doesn’t have the capacity to absorb the product as it also tries to learn infrastructure automation, Crawford said. It likely will be a few months before Crawford’s team can begin to work with InSpec, he estimated.

Crawford echoed Verisk’s Ryan that it’s tough to find people with the right skills for security and compliance as code. Crawford has considered an intern program to solve this problem.

“I prefer a dozen interns who are smart, capable and eager to learn over a super-expensive IT ninja who came from a place that paid him $200 an hour, is here because we pay him $210 an hour and is going to leave as soon as he finds someone else to pay him $225 [an hour],” Crawford said.

To that end, the community needs more up-to-date documentation and tutorials on how to solve specific tough problems, such as how to trigger a Chef run immediately after a server restarts or create a Jenkins pipeline using cookbooks, Crawford said.

Chef tinkers with platform integration, expansion

Chef Compliance is still used to trigger InSpec scans. With a new release this week, its dashboard view into the security and compliance of the IT infrastructure is integrated into the newer Chef Automate product — part of an overall integration of the software under the Automate umbrella that began a year ago. Eventually, Automate will also have Chef Compliance remote scans baked into it.

Chef also rolled out incubation projects to bring InSpec scans beyond the server configuration and operating system to AWS, Azure and vSphere APIs. Some Chef partners use these products in AWS already, but they’re not yet generally available, Chef execs said.

Trek’s Crawford said he’ll consider Chef Automate, but the number of recent changes to the framework deepens the documentation gaps he’s seen already.

“It’s true of any rapidly changing software framework — docs and blog posts aren’t current, and you have anxiety and stress as you try to cobble together the pieces,” Crawford said. “It’s not a platform with well-established patterns like C# or Java.”