There has been an ongoing conversation about compliance in the DevOps world. For many DevOps shops, it's a serious challenge to scale up and get the compliance and audit game DevOps-ready. A holistic DevOps compliance approach, though, can provide a distinct edge and help meet compliance requirements.
Here are some tips for DevOps shops to crack compliance.
Apply DevOps culture to compliance
Teams should embrace DevOps culture fully -- in particular, automation and cross-team collaboration, according to Mike Kail, former Yahoo CIO and co-founder of application security platform Cybric. You can use those bits of culture along with various tools, automated tasks and orchestrated processes to improve DevOps compliance.
Because DevOps and automation often go together, the repeatability of certain tasks will help DevOps teams achieve compliance. Kail said a team can do most of the heavy lifting with compliance if they collect data aggressively -- whether it's an audit log or other data sources.
DevOps teams should also guarantee their internally developed software with service-level and appropriate licensing agreements, according to Kail.
Moreover, DevOps shops can remove a lot of manual latency if they use automation to ingest that data and continually produce the reports. Automation also removes human error in the repeatability of compliance processes.
Another core tenant of DevOps is don't forget to measure progress. If you chart your progress, you can improve your time to compliance or regulatory reporting and close any gaps in your processes.
Tap automation to gather monthly review data
CIOs must consider compliance and regulatory issues at hand in an organization and ask if today's manual tasks can be automated.
Kail pointed to the Sarbanes-Oxley Act as an example and issue with its manual reporting requirements. One of its compliance standards asks if you do what you say you do. CIOs receive a monthly report about financial systems access and other data points, but those reports are for the previous month. As a CIO, Kail said he left unsatisfied because the report was never up to date. He was also unhappy with the manual processes behind the reporting.
With automation a core tenant of DevOps culture, Kail advised CIOs and DevOps shops to automate that monthly review in a reproducible way. Automation can provide a report in near real time. You also get a transparent, repeatable process in place of a team or a single point of failure individual plugging away manually -- which can vary upon their stress-level workload and other internal and external factors.
Use governance tools and usage analytics for a better view
Teams should use governance tools to manage user roles, access permissions to file servers and applications, according to Rafi Rainshtein, vice president of R&D and DevOps at SysAid Technologies, a centralized IT service management and service desk software company. Governance tools set the proper security standard overall. He also advised shops use API and access control analytics to log and monitor changes so teams know who touched what and when.
Start with simple analytics and collect and store the data. When needed, team access tools can help teams get to their usage data.
Extend DevOps licensing strategies
Enterprises should apply DevOps licensing practices and strategies to their internally developed software, said Roman Shaposhnik, co-founder and vice president of product and strategy at Zededa. He stressed that DevOps teams know all the software that runs on their infrastructure. Organizations need to manage intellectual property and licensing restrictions in their toolchains if they want the build process to run smoothly. DevOps teams should be able to disavow responsibility for such licensing issues; usually it's the vendor's responsibility. But even if it's the vendor that gets fined, it'll still seriously affect your build process.
DevOps shops need to manage their internal licensing information, especially if it includes open source and third-party software components. You're on the hook for any potential licensing or legal issues from your own software, so it's best to prepared with the appropriate guarantees and licensing come audit time.
DevOps: Your new key to compliance
With its core principles of automation, collaboration and continuous delivery, DevOps could be more a key to compliance rather than an obstacle. When you apply the same DevOps principles to compliance challenges that are applied to applications and infrastructure, you might find yourself ahead in the DevOps compliance game.