The document discusses adopting Chef Compliance to automate compliance checks across devices and applications. It recommends defining compliance requirements upfront using sources like the service catalog, device matrix, and lessons learned from past events. This approach allows for faster deployment of compliance, reduces rework, and catches critical issues earlier. Automating compliance checks through Chef Compliance saves significant time over manual checks as an organization scales, reducing unplanned work and risk.
6. OUT OF THE BOX
Center for Internet Security [CIS]
7. BUILDING ON SOLID FOUNDATIONS
regulatory
FSA PCI
Best
Practice
Lessons
Learned
8. DEPLOY COMPLIANCE FIRST
Speed
Faster to
deploy
Accuracy
Reducing
rework
Risk
Reducing
unplanned
work
A quicker ROI back to the business through
By defining your compliance requirements first you
gain insight into what is important to you
10. We need to write a compliance profile for all the
devices we have in production. If a customer has
suffered a service outage then we should write a
control to know where else we are exposed.
11. INSPIRATION FOR WHERE TO LOOK
Service Catalog
[targets]
• Device Matrix
• Application List
Best Practices
[compliance]
• Build Standards
• Setup Guides
Lessons Learned
[compliance]
• Previous Events
• Front Line
Go Broad and Shallow
Don’t boil the ocean :)
13. 100 Critical Issues
Found across
1000 devices
REDUCING UNPLANNED WORK
1 Critical Compliance failure = 8 Hours of unplanned work
100 MD
worth of
unplanned
work.
All these grow as you scale out, delivering real benefit.
18. OUR SINGLE BIGGEST CHALLENGE
Reporting
don’t underestimate its importance
find the right medium that works for your customers
19. • Baseline
compliance
• Offering insight
Out of the
box
• Best Practice
• Lessons Learned
Extendable
• Reduce rework
• Reduce risk
Fast ROI
IN CLOSING
Who are you……
What do you do…..
Who do you work for ….
What do they do…..
Last year….
Was my first community summit. I was just a face in the crowd, in fact if you had told me last year that I would be standing in front of you, I probably wouldn’t have believed you :)
I came to find out about a product but what I found was much more than that
I left the summit feeling very much welcomed into something bigger, my hope for anyone leaving there first today feels the same way
The Highlight for me for me was the announcement ….
… for me this is a Lightblub moment
With Inspec we instantly saw the Potential value to the business and our customers
Out of the box we got access to a Swiss army knife of features,
Key Part was alignment to CIS
And having the ability to scan to that standard,
We had tools that did a similar thing but they where proprietary and typically different across multiple platforms, so having a consolidated view was key
Regulatory compliance is Important, we need them in the markets that we operate in.
But Speaking to our clients, looking at our own experience, we saw that compliance can be more than that
Build on foundation of regulatory compliance
Build compliance around the things that fall outside those standards
Build standards
Lessons learned
These excited us far more and for that reason
So the idea was that our first step with chef was to deploy chef compliance first
We saw a quicker ROI back to the business through
(Speed to test compliance) - Faster to deploy (being agentless)
And Go after two key areas
Reducing rework & unplanned work
Side benefit
Functional requirements…
By defining your compliance requirements first you gain insight into what is important to you and acts as a blueprint for your automation goals later
Split between targets and compliance checks
Device Matrix – Firewalls, Routers. Hypervisors SAN, Backup Infrastructure.
Application list – Think about each item in your management stack
Internal build standers (internal security guideline)
Setup Guides – Hand offs between teams
Phase gate process were someone has to manually has to check something is ready?
Past outages, interview with the frontline, attending a war-room, on call staff, service desk all examples of where you can get the checks from.
Time Saving = Manual check over automation
High velocity clients, 100s of RFCs day.
Manage Service providers
We redefined what a critical failure (in chef compliance) means to us
Try and Understand what it means from a level of unplanned work. So 8hours was our estimate of what makes up a serv 1 outage.
Your breakdown might be more or less, maybe we undercooked when you consider handoffs etc.
All these grow as you scale out, delivering real benefit.
So you’ve created some measures but you now have to choose to a path to proceed.
choose the wrong way and you run the risk of being one of the most hated people in your company…
The Logic here is
You choose and then identified a number of failures, great but the execs are now getting nervous that they are sitting on potential outages, and Ops hate you as you are giving them more to do
How do you solve it?
Don’t sit in an ivory tower
Like a good chess player thinking x moves ahead, before you begin to sit down and write the first control consider, who benefits from it, who is going to receive, who is going to correct it.
Adoption with Ops is key and you that …. By driving adoption
So you start where you are going to get buy in
Ask the question (What one thing.) Get them to choose what they are about to and have to fix, they will chose the highest impact thing as it was their support it through to resolution
One Idea Sprints*
To support this create a mechanism to pass the information to operational team that is
Integrated into their working processes, don’t create a new way of working it will get sidelined
Once you have one in the bank, building that culture has begun -
Importance of reporting
Our biggest challenges and criticisms about the product
Challenges, around multi tenant reporting, mobile device support. Integration into our existing portal
So to over come that we took the data from the compliance and imported it to PowerBi
The examples on the docs website can help you achieve the same, they are well written and the examples are clear, even for a windows admin like me.
Baseline compliance,
Extendable, this is where we took it, You may have other ideas, if so please share them
Lessons learned – Giving back to ops and reducing your technical debt
One idea sprints – Ask the question, Release and iterate
Go Broad and shallow
Remember to take people with you –
Work with them don’t just write a compliance report leave it on the doorstep of ops, ring the door bell and run away :)
Thank you, I hope this was of some help. Feel free to contact me if you have any questions