One of the defining elements of DevOps is rapid change. Rapid change, in and of itself, is generally perceived as scary and bad by IT and security admins–and the exact opposite of what you need to achieve and maintain compliance. The reality, however, is that the agility and automation components of DevOps simplify and streamline compliance initiatives.
DevOps tools and principles have revolutionized IT across many industries in recent years. But companies saddled with requirements such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI-DSS), for example, tend to be more cautious when it comes to adopting cutting-edge solutions.
There are specific industries—health care and finance are two—that are strictly regulated and more reluctant to change. But even beyond those industries, there exist various compliance frameworks under which the rapid pace of change associated with DevOps may be seen as a risk. The flip side of that coin is that the agility and automation associated with DevOps actually might streamline and simplify compliance.
The DevOps and Compliance Challenge
Ken Cheney, vice president of Business Development at Chef, agrees. “Today companies are faced with increasingly detailed security and compliance requirements. For organizations in highly regulated industries like health care, financial services and the Federal space, detailed compliance can impede the ability to innovate.”
One of the biggest concerns DevOps organizations fear is that compliance and audit will create a “Wild West” ecosystem where everyone has access to all production systems and data. However, DevOps doesn’t have to automatically result in systems access chaos. In fact, the use of orchestration actually can lend a hand to making a more compliant organization where nobody gets direct access to production systems.
“Instead, mature DevOps organizations actually remove all direct administrative access to systems,” says Andrew Storms, vice president of Security Services at New Context. “The ability to make changes all go through a central orchestration tool, where access can be abstracted forced through a change management automation system.”
Better Compliance Through Automation
The consensus among DevOps experts is that DevOps does more to help compliance than hurt it. It isn’t so much a question of whether a regulated business should or shouldn’t adopt DevOps tools and principles—it’s more a question of how.
“DevOps tools and practices establish compliance through consistency. They help improve compliance by reducing complexity and variability within the environments,” notes Derek Weeks, vice president and DevOps Advocate at Sonatype. “For test and operations teams, configurations, tests and deployments can be automated to ensure execution is consistent. For development teams, consistent versions of binaries ensures use of compliant components, leading to more compliant applications. The automation capabilities of DevOps tools enable consistent, automated execution of compliant practices.”
Rather than conflicting with such initiatives, DevOps can be a crucial element in simplifying and streamlining them. “The key to making compliance an advantage is to specify compliance requirements as code, allowing it to be tested just like any other piece of code in the software development pipeline,” Chef’s Cheney says. “Previously manual verification tasks—often tracked through spreadsheets or other arduous methods—can now be proactively addressed as embedded tests in an automated workflow. Security risks are brought to the surface early for faster remediation, so out-of-date software is identified and updated quickly.”
Check out the complete post on DevOps.com: Does DevOps Help or Hinder Compliance?