Skip main navigation

How to automate compliance in DevOps

Does the idea of DevOps compliance appeal to your work and field? This article will be exploring compliance, and how you can automate it.

If you work at a financial institution, a healthcare company, a government agency, or in any heavily regulated industry, compliance is often the first concern when you are thinking about moving to DevOps. When dealing with compliance requirements, some organisations must be more careful than others might when they make process decisions

Automating Compliance

Traditionally and in “slow processes”, compliance relies on inspection. The primary mechanism, before the release, is an approval gate with signoff in which control objectives are manually enforced. At the time of the audit, the auditor has to deal with and untangle large batches of code, which have complicated relationships among the intended work stated as requirements, user stories, etc.

When you are using a DevOps process with continuous delivery, compliance relies on automation. Instead of certifying every release (large batches of code), you can automate and certify your pipeline. The automation links and validates the intended work requirements and user stories with small code changes to fewer test results.

This makes it easy to see and understand the relations between intent and result, the control objectives themselves, become tests, and the automated audit trail is easy to follow. You have a complete historical record and changes are traceable. Monitoring in production confirms that what is in production matches what was intended in development.

Ken Cheney, formerly with the company Chef and now with Qumulo, Inc., offers this perspective:

‘The key to making compliance an advantage is to specify compliance requirements as code, allowing that code to be tested just like any other piece of code in the software development pipeline. Previously manual verification tasks—often tracked through spreadsheets or other arduous methods—can now be proactively addressed as embedded tests in an automated workflow. Security risks are brought to the surface early for faster remediation, so out-of-date software is identified and updated quickly.’

Tools for Compliance

Every organisation treats compliance differently, so different tools might be needed depending on your organisation’s requirements. Whichever tools you adopt for compliance, DevOps practices offer predictability and simplification toward maintaining compliant practices.

Azure KeyVault

A primary benefit of many deployment solutions now is that they offer secret management, for example, by using services such as Microsoft Azure KeyVault. A secret store gives you the ability to abstract passwords, connection string information, and any other variables from all users so that there is no direct access to sensitive data in databases or on machines. Administrators set up access for the deployment solution to the machine and abstract the passwords.

Automated release pipeline

An automated release pipeline ensures consistent versions across assemblies, packages, builds, and deployments, using automated tests, infrastructure as code, and frequent releases. It also makes compliance more predictable and straightforward. With fast feedback loops, if noncompliance issues arise, corrections can be made more quickly and the changes can be tracked automatically.

For more information on the value that DevOps brings to compliance, check out the full online course, from CloudSwyft Systems Inc, below.

This article is from the free online

Microsoft Future Ready: Fundamentals of DevOps and Azure Pipeline

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now