CompOps: Continuous Delivery Needs Continuous Compliance

This is the second blog in the Field Notes from a DevOps Cultural Anthropologist series. This blog deals with the DevOps culture of CompOps a portmanteau of compliance-driven DevOps. I will discuss what it is, its importance and how it can benefit your organization. I have been in the continuous delivery and DevOps industry for nine years and have made a number of observations during that time. I have seen strategies succeed – and fail. My goal is to try to help you be one of the successes! I’d love to hear your comments and experiences with continuous delivery and DevOps.

The Iron Mountain thought leadership blogs says, “Simply put, compliance means playing by the rules. How can you be compliant yet play to win? The answer: Establish and maintain a company culture that embraces compliance and builds compliance management into the everyday workflow”[1]. Jenkins should be leveraged in this compliance workflow. Its role as the market leading CI/CD server squarely positions it to orchestrate compliance efforts and enable a culture of CompOps.

CAMS - the acronym describing the core values of the DevOps movement - is applicable to CompOps, because it is a subset of DevOps. Culture, automation, monitoring and sharing are all important ideals to consider for a compliance driven organization. Tools, such as Chef Compliance, provide automation and monitoring via a compliance specific DSL, reporting and auditing. Culture and sharing are people issues, and require leadership to incentivize employees to focus on cross-functional teamwork, communication and mission focused compliance.

According to Barry Crist, CEO of Chef, in 2016 “Peace will break out between developers and security / compliance officers”[2]. What will be driving this is compliance - defined as code. Chef Compliance is a product that “scans for risks and compliance issues with easy-to-understand, customizable reports and visualization, automates remediation, and implements continuous auditing of applications and infrastructure”[3].  Crist continues “If you can define compliance as code, you can then use that code to create a test that can simply be moved into the software release process and managed like any other automated test.” This is a game changer. Compliance personnel can now manage their compliance projects as software, which is analogous to the DevOps principle of infrastructure as code.  Coupling Jenkins and Chef Compliance is a home run. Having Jenkins automatically scan infrastructure for compliance as part of a CD pipeline is very powerful and very useful to compliance focused organizations.

Chef Compliance created a new language for modeling infrastructure specifications called InSpec. It is an “open-source testing framework for infrastructure with a human and machine readable language for specifying compliance, security and policy requirements”[4]. As is described in the excellent book Test Driven Infrastructure with Chef[5], modeling a compliance project with InSpec enables repeatability, automation, agility, scalability, reassurance and disaster recovery. CompOps and compliance as code break down the silos between dev, ops and compliance/security. They create a dialog between the parties, and enable teamwork, communication and sharing.

The role of Jenkins as the central CI/CD orchestrator positions it to play a significant role in the burgeoning CompOps movement. Compliance is critical to many organizations and should be incorporated into their larger DevOps culture. Iron Mountain says, the benefits of developing a compliance driven culture is that the “compliance program can ultimately help you cut your operational costs, improve efficiencies and reduce risks. Once you’ve developed your plan, you can relax—at least a little—knowing that you’re well set up to:”

  • Demonstrate your adherence to laws and regulations
  • Speed your response times when audits or litigation occur
  • Reduce the risk of fines and penalties
  • Improve your business efficiencies
  • Reduce your administrative costs
  • Get control over your critical records”[6]

In my next post, I will talk about continuously delivered analytics and the culture of innovation necessary to create it.

Thomas McGonagle
Senior DevOps Consultant, Global Services
 CloudBees

 

 

[1] http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/W/What-Is-a-Culture-of-Compliance.aspx

[2] http://devops.com/2016/02/04/devops-in-2016-mainstream-momentum-ahead/

[3] https://www.chef.io/compliance/

[4] http://github.com/chef/inspec

[5] http://www.amazon.com/gp/product/1449372201?keywords=test%20driven%20infrastructure%20with%20chef&qid=1456824446&ref_=sr_1_1&s=books&sr=1-1

[6]  http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/W/What-Is-a-Culture-of-Compliance.aspx

 
Blog Categories: 

Add new comment