iQoncept - Fotolia

Chef's InSpec 2.0 brings compliance automation to the cloud

Listen to this podcast

Enterprises have been quick to adopt automation tools for development and deployment but only recently have organizations started adopting security and compliance automation tools.

Chef is famous in the world of software automation and configuration management, but one arena in which it's only recently dipped its toes is security and compliance automation. While organizations have been highly receptive to the concept of automating core steps in the software development lifecycle, they have been less receptive to security and compliance automation, and application release velocity is suffering because of it.

Julian DunnJulian Dunn

"A lot of folks are doing compliance manually," said Julian Dunn, director of product marketing at Chef. "According to the results of Chef's 2018 Compliance Survey, 75% of all respondents said they were doing compliance audits manually."

Manual remediation has only further exacerbated the problem when an organization actually identifies a security or compliance issue.

Compliance automation in the cloud

Filling what it perceives as a void in the compliance automation field, Chef recently released version 2.0 of its open source InSpec product. InSpec 2.0 is interesting for two reasons.

Firstly, the tool has the ability to scan its environment and identify potential compliance issues, from infrastructure problems, like inadequate firewall protection, to policy issues, like password strength and expiration. And not only does InSpec 2.0 identify problems, it also provides specific steps to take in order to address the incident.

InSpec provides a domain-specific language that allows customers to describe their own compliance rules.
Julian DunnDirector of product marketing, Chef

Secondly, InSpec is interesting because it is fully programmable.

"InSpec provides a domain-specific language that allows customers to describe their own compliance rules," Dunn said. "You have a lot of out-of-the-box rules having to do with things such as firewalls and passwords, but because it's effectively a programming language, it allows for customers to fully express their own compliance automation rules as well."

Cloud compliance challenges

With InSpec 2.0, a big priority has been making this kind of DevOps tool more friendly for cloud.

While the cloud greatly simplifies elastic deployment by hiding many of the complexities behind distribution and scaling, those simplifications can also present problems when it comes to security compliance. For example, the way the roots of how the system works can be either undocumented or documented in a nonobvious way. Further complicating matters, many cloud vendors offer services related to their products that might appear to meet compliance requirements but actually fall short under further inspection.

"When a cloud vendor provides you things like an API gateway and then they tell you that it has a web allocation firewall in front that performs a variety of functions, you immediately assume somebody else is accountable," Dunn said. "So, compliance can get deprioritized or even forgotten about."

With a compliance automation tool in place, though, organizations can identify these types of oversights and address them before code ever goes into production.

Chef has built its reputation on facilitating the automation of various development and deployment tasks. And with the release of InSpec 2.0, it is bringing its knowledge and experience into the realm of security and compliance automation as well.

To learn more about InSpec 2.0, Chef's 2018 Compliance Survey and how utilizing compliance automation could benefit your DevOps processes, listen to the accompanying podcast with TheServerSide's Cameron McKenzie and Chef Product Manager Julian Dunn.