How to automate compliance in DevOps

If you work at a financial institution, a healthcare company, a government agency, or in any heavily regulated industry, compliance is often the first concern when you are thinking about moving to DevOps. When dealing with compliance requirements, some organisations must be more careful than others might when they make process decisions

Automating Compliance

Traditionally and in “slow processes”, compliance relies on inspection. The primary mechanism, before the release, is an approval gate with signoff in which control objectives are manually enforced. At the time of the audit, the auditor has to deal with and untangle large batches of code, which have complicated relationships among the intended work stated as requirements, user stories, etc.

When you are using a DevOps process with continuous delivery, compliance relies on automation. Instead of certifying every release (large batches of code), you can automate and certify your pipeline. The automation links and validates the intended work requirements and user stories with small code changes to fewer test results.

This makes it easy to see and understand the relations between intent and result, the control objectives themselves, become tests, and the automated audit trail is easy to follow. You have a complete historical record and changes are traceable. Monitoring in production confirms that what is in production matches what was intended in development.

Ken Cheney, formerly with the company Chef and now with Qumulo, Inc., offers this perspective:

‘The key to making compliance an advantage is to specify compliance requirements as code, allowing that code to be tested just like any other piece of code in the software development pipeline. Previously manual verification tasks—often tracked through spreadsheets or other arduous methods—can now be proactively addressed as embedded tests in an automated workflow. Security risks are brought to the surface early for faster remediation, so out-of-date software is identified and updated quickly.’

Tools for Compliance

Azure KeyVault

Automated release pipeline

An automated release pipeline ensures consistent versions across assemblies, packages, builds, and deployments, using automated tests, infrastructure as code, and frequent releases. It also makes compliance more predictable and straightforward. With fast feedback loops, if noncompliance issues arise, corrections can be made more quickly and the changes can be tracked automatically.

For more information on the value that DevOps brings to compliance, check out the full online course, from CloudSwyft Systems Inc, below.