Orchestration tool makers have set their sights on security and compliance. IT professionals should remember that “compliance as code” isn’t the easy button they might like it to be.
As configuration management tools like Chef and Puppet have evolved to become so-called “Infrastructure as Code” solutions, both enterprises and software vendors have realized that security and compliance teams have been struggling to keep up.
Chef continues to add features and obtain certifications toward the goal of “compliance as code,” while HashiCorp advocates an approach to “policy as code.” The goal of these systems and of other, similar tools is to bake compliance into the orchestration tools themselves.
Traditionally, enforcement of policies has been a manual and error-prone process in many enterprises. Policies are often drafted in natural language documents, and then security teams check systems against these natural-language policies, documenting the work orders through an ITSM tool.
Properly configured orchestration tools should be able to automatically enforce the defined policies, while at the same time creating auditable records to prove compliance.
Info-Tech expects the trend of “compliance as code” to continue, but this isn’t the easy button IT professionals might like it to be. The industry already faces a shortfall of qualified security personnel. Compliance as code will require greater expertise in translating natural-language regulatory and compliance requirements into the appropriate programming-language defined controls for infrastructure as code tools.
IT professionals will also need to be able to explain and to demonstrate the functionality of these tools to auditors. “Trust us, it works,” is not an appropriate answer in the face of an audit. IT professionals will need not only to write effective and appropriate policies into their infrastructure as code, but will also need to document the code’s enforcement and auditing mechanisms.
Vendors will try to differentiate themselves by making their compliance as code features more human readable (e.g. Terraform’s Sentinel language). But making the features more human readable can result in a lack of standardization, which could more easily be achieved by using traditional programming languages.
It’s clear that manual security and compliance, just like manual QA, cannot scale to keep up in a DevOps world. But it will take time and effort for enterprises to catch up and to implement compliance as code in a way that works for them. IT leaders should take a strategic approach and avoid relying on vendors to show them where to go.