CompOps: How Compliance Operations Help Dev Orgs Conquer Increasing Regulatory Hurdles

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well good afternoon good morning or good evening depending upon where you are in the world and welcome to today's devops.com webinar i'm charlene o'hanlon moderator for today's event and i welcome you we have a great presentation on tap this is a conversation it's a discussion among five very very smart people i'm very very very much looking forward to it but before we get started we do have a few housekeeping items we need to go over first of all today's event is being recorded so if you miss any or all of the discussion you will have the opportunity to access it later following today's webinar we will be sending out an email that contains a link to access the webinar on demand and we are taking questions from the audience although we won't be having a formal question and answer session so any questions that do come in from the audience these uh very smart people as i said we'll be getting a copy of all the questions that came in and i'm sure somebody from their organization will be more than happy to follow up with you offline to get your question answered and we do have a couple polling questions during the course of today's conversation so please be aware be alert and hopefully we can get you engaged and we also have a very uh very active chat or on on the interface the chat tab on the interface so we do encourage you to just chat us up your questions comments suggestions whatever you want to share with us please go ahead and send it along and then also finally at the end of today's webinar we are doing a drawing for four 25 amazon gift cards so please stick around hopefully you'll be one of our four lucky winners all right so with that let's go ahead and kick off today's discussion which is comp ops how compliance operations help dev orgs conquer increasing regulatory hurdles our all-star lineup includes shannon smith who is a security compliance manager at armory andy suderman who is the director of r d and technology at fairwinds dr david yates who is associate professional professor of computer information systems at bentley university thomas mcgonagall who's the cloud partner solutions architect at armory and the moderator for today's conversation and finally dr james bland who is the global tech lead for devops at aws thank you all for being on the webinar today i am so looking forward to this conversation and as i said before thomas is going to be leading the discussion so thomas i'm going to hand it over to you take myself off camera put myself on mute and i'll be back when we get to the first pulling question thank you very much charlene it's a tremendous pleasure to be here today it's a pleasure to have all my my old friends and my new friends here with me today and to kick off our talk we're just going to go around and we're going to get the juices flowing by asking the question of all our panelists what's their favorite movie and what's your favorite soft security software and i'm going to put that in the chat and if you could um answer that for yourself as well in the chat if you could while we're going through the panel and describing it so my favorite movie is the joker with joaquin phoenix and i was a big comic book kid and i just loved the movie very very much and my favorites piece of security software is nordvpn and it's because how easy it makes a vpn and how uh how how um how awesome that is uh because in the old days i used to do uh set up vpns it's just so much easier now ignored and i just love it i'm david i'm gonna go to you what's your favorite movie and what is your favorite security software uh favorite movie is raiders of the lost ark um so true classic for me and watched it many times my favorite security software uh it's not quite as old as raiders but i've been using malwarebytes for my personal security for a long time and i love it so thank you david i'm going to move on to andy next andy what is your favorite movie and your favorite security software please my favorite movie has to be the fifth element uh probably my first big introduction to sci-fi when i was younger so definitely one of my favorites and my favorite security software personally is uh proton male and proton vpn combo so a huge fan of that not technically a security software but it does keep me more secure so oh that's great answer i was looking at proton earlier today and i'm going to move on to james james your cue yep um my favorite movie would be matrix um every time i watch it i find easter eggs in there um and um it's a it's a true like a geeks movie um i've just marveled at the way it was actually uh made and produced um for my favorite uh security tool not necessarily really a tool but it's the chrome dever developer extensions um i i really find that you can really dig in and really find some interesting things in there like um what people kind of exposed publicly and maybe they really didn't realize it or not oh what a great answer i'm gonna steal that next time i ask that question um and shannon what's your what's your favorite movie what's your favorite security chocolate yeah so uh i'm like a psychological thriller fan and i'm really bad at remembering my favorite but the first one i can remember is the the secret window which is based off of a stephen king long or short story i guess um but that's the fav the favorite i can remember because it kind of introed me to to that genre uh and then favorite security app i i think maybe jamf which is more of a compliance app but it ensures security controls so that that one's my favorite oh i'm gonna i'm gonna return to that later on in the um in the discussion we can discuss what gmp is and how we're using it you know for our compliance at armory for example so uh so i feel the need to really kind of introduce our webinar at this point i wanted to once again thank our team and the panelists uh for putting this together but compos is a term it's an amalgamation or a um a phrase that i came up with in 2016 and i'm going to put that into the slack i wrote a blog when i was at cloudbees the the jenkins company on continuous compliance and this blog article talked about the need to take the principles and practices of of of devops and apply them to the field of compliance and so we're going to be discussing that whole that whole sphere today we're going to be talking about that whole in like like all the nitty gritty and we're going to dig into it with our panelists we're going to discuss it but i feel the need that we need to discuss and we need to define um each of the different components we need to find devops we need to define security we need to find dev secops we need to define comp ops and compliance and so i'm going to ask david yates dr david yates to define devops so um there's lots of definitions obviously it's a contraction so the goal of devops is to combine software development and i.t operations and in terms of outcomes it's really focused on shortening the systems development life cycle and providing continuous software delivery of high quality software and i would say critical success factors for devops operations or devops practices is inclusive teamwork and focus on a shared mission well i love that definition uh it's a definition that i've used personally myself and no one has ever really had a problem with it it's it's all devops is all about the software delivery mission and delivering software to production i just love that definition it just encapsulates so much of what i do in the devops sphere at armory and in my previous career working at the previous companies i've worked at does any of the panelists have any additions they want to add to this definition of devops or can we move on to um the definition of security how does everyone feel about that definition i like it a lot i think it avoids a lot of the pitfalls that we see in the definition of devops in the industry yeah people do find it challenging to define devops don't they and i think there's a bunch of reasons for that but what we're talking about is just a culture of software delivery and a culture of mission focus and that really just encapsulates the way i think about devops does anyone have any other comments is is there is there any um dissenting views okay so we're gonna move on to security andy would you mind defining security and um and what it means to you sure i'm gonna start with uh i lifted from wikipedia a definition that i think is actually fairly apt but i can talk about how i think about it as well um but computer security cyber security or information technology security is the protection of computer systems and networks from information disclosure theft or damage to their hardware software or electronic data as well as from the disruption or misdirection services they provide which is a fairly meaty definition but i think it encapsulates kind of the overall thinking of security um the way i think about security is it's really a responsibility of every person that works in infrastructure or software to keep in mind the risk factors associated with the things that they build so understanding what your you know what your tolerance to risk is what your what level you're going to mitigate that risk to and um keeping that in mind in basically everything that we do it's not a single department it's not some one person's responsibility it's really anyone who works on a system that is going to deliver software in my case because i'm in the software field um is responsible for it well i thought that was a wonderful definition um i'm chomping at the bit i'm not going to ask the team to kind of discuss that definition i felt it was really dead on but what i'm going to move on to quickly is to james that asked james for a definition of devsecops which is the amalgamation of devops and security and they're combined somehow so if james you wouldn't mind giving a definition of devsecops yeah no problem um so devsecops basically builds upon devops um and i actually like the way the terms actually focus where um security is in the center um because what it does is it kind of implies that security now has to be baked in right um so it's between it's not just between dev and ops but it's baked into the whole process so we've heard terms such as like shift left security which is actually shifting left into the developers um you know having them um build in like security practices right from the get go and it's also shift right security as well making sure that we we build in those um feedback loops on the right hand side so then we're feeding back that information into developers and also taking care of security you know through the entire life cycle all right that's kind of devsecops you know to be honest i never kind of realized that the role the sec in the middle plays as part of that term right it's in the middle it's part of that shift left shifting security to the left i love that definition thank you james and so i think i think yeah i've actually oh i was gonna say i i've also heard the term like um devops sec um i don't like that because then that also that that kind of implies that it's at the end where security is usually typically like in software development firms where a lot of times people think of it as like an afterthought hey security is something we do at the end so i actually like it in the middle there devsecops oh i love that i um i really really admire that definition i think it's wonderful and what we're doing is we're establishing this kind of narrative this flow we started with devops we talked about security we talked about devsecops now we're going to get into compliance what is the what is compliance and then i'm go and i'm going to ask shannon to define it and um and then we're going to discuss what does it mean for comp box what is how does the comp box fit in to all these other different buckets yeah so uh kind of the like uh dictionary definition of compliance is the the actor process of doing what you've been asked or ordered to do so for me that looks like okay first identifying what you've been ordered to do whether that is through kind of an internal decision you guys have decided your your internal road map that you want to take and and um an associated compliance framework with that or maybe there's a regulatory requirement or a contractual requirement on on what you've been ordered to do and then from there it's identifying kind of the the processes and the controls that need to be put into place in order to meet that framework and also auditing reviewing enforcing to make sure that those controls and processes are being followed wow that was a great definition thank you shannon that was really tremendous um now it's up to me to kind of tie all these components together and so i i shared the devsec excuse me the compost blog from 2016 and what i was hoping to do was talk about how we can get compliance and how it relates to security and have it have it connected to devops and have the principles and practices of devops applied to it and so to start that conversation off i thought um i thought we should talk about the types of compliance and how we can start to enforce more devops and compliance into those compliance workflows and those types of various types of compliance and so um if if um if our original speaker charlene wouldn't mind coming back on in in posting a particular um polling question i got it i'm there man i i have already pushed out the polling question the first polling question for the audience is my organization is most challenged by compliance for you can choose from sock one or two iso 27001 comma 27017 comma 27018 gdpr ccpa pci dss hipaa slash hightrust or other and in which case please put your answer in the chat we'll go ahead and leave the poll question open for a couple seconds and then we'll take a look at the results sound good to you guys okay all right we're getting lots of results in so far lots of responses in so um and uh just another quick reminder that that today's conversation is as i said before being uh being recorded so you will have the opportunity to uh listen to the entire conversation again or if you miss any of it or if like i said if you just want to listen to it again you'll be able to we will be sending out in the email link to access it on demand after we are done today so okay let's go ahead and i'm going to go ahead and close the poll we'll take a look at the poll results okay yeah looks like the majority of folks are most challenged by gdpr and ccpa so it looks like privacy is a huge issue among a lot of organizations and then there was a dead tie for second between sock one or two the isos and pci dss and then we had 13 who were stymied by hippo or high trust good stuff very good stuff um you know i feel like uh this is pretty probably pretty a good good sample and pretty accurate for um like the customers that i interact with as a solution architect at uh armory and um you know the the crux of that original compost blog was that cicd is the perfect place to do compliance and when i was when i wrote that up you know i was working at cloudbees which is a jenkins company so ci was really kind of the focus of the jenkins product and now i'm in continuous delivery i'm working on armory enterprise and spinnaker at um at armory and i have over the years shifted my thoughts that cd continuous delivery is the perfect place to be doing compliance and so i just wanted to open that question up to the to the panel and see if anyone has any ideas or thoughts about what does compliance look like what do the gates look like in a compliance framework or a compo in a compliance continuous delivery flow what does that look like to anyone does anyone have any thoughts and so just just to kind of reiterate so what i'm proposing is that um continuous delivery is one of the core uh core values or core practices of devops and we can introduce these gates so for example we can gate on and make sure that the approvals are correct and accurate and have been determined and have been completed uh to release software into production so that's like an example of a gate in the compliance continuous delivery pipeline and so there's there's a whole host of other uh other various compliance and um and um and and uh to the gates that we can increase and and and continue and add to the continuous delivery pipeline um and um does anyone have any um particular like feelings about appreciated yeah um so i uh in my past i was a sock two auditor so definitely familiar with the gates that need to be in place to thomas's point approvals that's a huge one segregation of duties really depends on those approvals so that's big you could also kind of build in uh making sure that the infrastructure is up to date patches security updates that kind of thing testing so those are a couple that that would be big ones that that you can kind of incorporate into that pipeline please andy yeah um i mean this is gonna sound a little bit like a shameless plug but this is something that we're heavily focused on in our sas offerings building an opportunity for people to build these compliance pieces into ci cd and then also continually scan them afterwards so taking open source tools like trivi and inserting them as a step in your ci cd inside your cicd pipeline to block things that are deploying known known vulnerabilities which satisfies some of your compliance points for continuous scanning and vulnerability scanning in addition to that having the opportunity to write custom policy using a framework like opa and inject that so if you have specific policies around how things are deployed or what your infrastructure deployment looks like integrating that all the way down into the cicd pipeline so that it gets blocked before it ever gets deployed and we're not just checking in after the fact that that's marvelous andy um and so i want to loop back to oppa but first i did have a conversation with james in preparation for this call and we talked about infrastructure as code and the role of a dsl or the role of a domain-specific language um and and how that what that could have in which an infrastructure has code by the way is a devops concept and what role that could play in a in a in a compliance organization or a compliance opportunity and so james would you mind kind of talking us through infrastructure as code and how what benefits compliance could benefit from infrastructure as code yeah definitely so infrastructure is code for those who that might not know what it is it's basically defining your infrastructure using like a programming language or using um a uh some type of like markup language or configuration if you will um the beauty of it is is that you can define these things and you can actually use a typical like software delivery life cycle where you can actually develop this like configuration within a an ide and then because you have it in a configuration language you can actually test against that right like you can run like let's say infrastructure is code you could run like certain tools against it to make sure that it's actually meeting like the company's policies um uh you know as part of the development life cycle so as a developer is working on this within the ide you can actually you know flag it like hey um we don't allow you know as a policy we don't allow like port 80 to be exposed exposed externally and so the developer while they're having while they have that context and that frame of reference they can make that change right away or you can also pass this into other like um gates or checkpoints within the software delivery pipeline so as you're doing ci cd testing or you're doing other things like within the the uh the delivery pipeline you can actually check for other security violations as well um within the code because like as you're as you're integrating some of these products basically you can actually start stitching together some of these different components as they might have interacting or interactions that might violate or go against company policies i marvel at that definition james i think that was really spot on and i think it was like a textbook definition that was really really really well done um i do want to loop back to the opa piece that andy mentioned andy would you mind articulating what opa is and how it relates to your product and by the way you're representing fairwinds today yes hopefully you can see my jacket but uh uh oppa or opa um is a uh it's an open framework for writing policy basically so it's based on uh rego which is a language for writing policy essentially you can you can write a check against any sort of structured data that you might come across so this applies to hcl that you would find in your terraform code which is an infrastructure as code tool or you can apply it to you know in our world we're very focused in the kubernetes world so we're looking at kubernetes yaml manifests that define how things are deployed and so you can write a policy that says you know you can't deploy this container that is running as root which is an insecure configuration into your kubernetes cluster and so we can check that in ci cd we can you can also write you know admission controllers to prevent that from ever being deployed or you can check and just alert on it you know while it's running in your environment oh marvelous and so i i just posted a link to uh about 20 rigo examples in case anyone is is curious and so these are all examples of rigo which is the opa language that defines various gates within armory enterprise and so we can gate based on any of these various examples and and those examples were those articulations were articulated by shannon um shannon not to put you on the spot but could you go could you repeat maybe some of those um those particular gates that you mentioned only a couple minutes ago um for example the uh the approval and then there was about four or five others do you remember them yeah so you can have like a manual judgment stage uh you can enforce testing uh kind of a double check to make sure that your infrastructure is up to date and security patches and updates are applied well that's marvelous thank you i am i was having trouble recalling them and thank you for i put you on the spot but thank you for uh for nailing it that was that was great work um and so so we have these these various products that are leveraging this tool called opa we have we have armory enterprise and then we have fair ones and what is the name of your product uh andy i didn't catch it uh fairways insights insights insights and then um there are other products in the market for compliance and they do um various similar things i'm not sure if anyone saw the announcement yesterday but cloudbees came out with cloudbees compliance and then when i wrote the blog article five years ago uh chef had chef compliance and um and i believe i'm not i'm not 100 sure but i believe the product has changed names and it's now called inspect has anyone had here on the panel had any experience with these compliance specific tooling to to ensure compliance for your infrastructure for your product for you know to enforce these gates i know you know andy and i have our own respective experience with our products does anyone have any other outside experience does that bring a bow with anyone uh this isn't as much focused on kind of the dev pipeline uh but there also are compliance automation tools out there that kind of cover uh the compliance is more holistic uh so there's like drada or hyperproof where you can kind of uh plug in your sock 2 controls and they'll monitor like aws and and make sure that your sock 2 controls are compliant so not quite as much the the development pipeline but a little more of a holistic uh look at it oh wonderful shannon thank you for that sorry we recently went through a sock 2 audit and we partnered with a company called content which has a simple similar uh style of interface with it's an entire compliance program but some of it's automated i'm curious to find and or see you know different um open source or or closed source or or sas offerings that kind of integrate both those approach both the ci cd approach and the you know a holistic compliance piece and tie them together whether it's via integrations with some of those or things like that i'm curious if anybody's encountered that i i'm curious about that myself does anyone on the on the panel aware of what andy just said if there's a compliance holistic compliance tool that's tied into a ci cd workflow does anyone does that ring a bell for anyone no they don't know it this is this is the the opportunity of a lifetime apparently this is i i think you're the only one on our private time sorry i think i think you're spot on there tom i think one of the problems is in the space there's a lot of point solutions um and they're not necessarily well integrated so for people who are out there doing this in the practice i think it's um it's a real challenge and one of the reasons i liked your insight about um you know sort of cd being an important uh point to take care of this problem the thing i love about that is if i return to james and shannon's thought about you know well i need to look to my right and look to my left if you're sitting in the cd space you can look to the left and assure not just the policy but hopefully some of the mechanisms as well that are implementing the policy and if you look to the right as your code goes into production and you're doing your um operations and monitoring there you're assuring that not only is your code functioning but it's also functioning in a way that's securing um the hardware the software the code the data that you're the custodian of as you as you deploy that app and for me i i have not seen anything in the market that kind of addresses that full life cycle you know like from end to end um and i do see that as a gap right but i i do see a place where like opa or oppa can actually fit in perfectly um because what i like about it is that it actually separates the you know the the policy and the enforcement um and so this way you can take a generalized like policy engine and then you can take the enforcement and then plug that into every stage of like you know your software development life cycle because like we all know like the does the policy really change whether this is happening at the developer side or whether this is happening at the upside you know probably not right i mean the policy is still the same and so if we can have a consistent way of kind of um of enforcing or actually applying that policy at each and every stage i think it actually makes it more effective and because also um two things change between like that's why we have the also the concept of drift right um so you might actually be checking the policy at the very beginning like as a software's developing it or you know like working on the product um but then you also can have changes that actually happen in the ui that are like out of band and so then we have drift um and so things need to happen at every single stage and you also have to be doing this continuously otherwise you know you're you're you're gonna fall out of you know like out of compliance or be you know like and have serious problems with drift james i'm gonna i'm gonna direct this question at you um in the chat jesse sanford who i've been emailing back and forth with um hello jesse um he asks aren't we really talking about hardening software supply chains and i have opinion about that i just wanted to get what your impression is based on what you just said um because i i do have an opinion about this but i wanted to hear your thoughts first so what was the question again hardening sorry are we are we talking about hardening software supply chains and so if you don't mind i'll just kind of start talking and then you can jump in when your thoughts formulate so so i i'd argue that we're not so right my understanding of compliance is correct compliance are rules about the software hardening right they're not the how-to they're not prescriptive right is that correct shannon that is correct right uh it would depend on the compliance framework but a lot of the times it is more uh it's not as as prescriptive and so i would argue that with with compliance due to its lack of prescription we're not enforcing supply chain uh software hardening we're creating a shell or a concept to enforce uh overall general security in best practices as opposed to look you have to peg your your docker container to a particular uh release and and you know the different prescription prescriptive things like i'm sure andy's very familiar with with kubernetes and docker you know all the different security best practices that you can do for a particular kubernetes installation like compliance isn't necessarily that it's it's this general best practices and and how to achieve that does anyone have any thoughts on on what what jesse was asking about so i i have one quick thought and i i would say that what he's described the hardening of the software uh supply chain is really important and and i'd go further it's necessary but not sufficient to achieve compliance and and the the level of compliance operations that's needed for most practices that's one small part of a very large picture right maybe not small but it is one part of a very large picture right yeah you know on that note i'm going to post in the chat and the formatting is a little a little hanky but if you guys can read it there's various practices of devops right practice one is configuration management practice two is continuous integration practice three is automated testing practice four is infrastructure as code practice five is continuous delivery practice six is continuous deployment practice seven is continuous monitoring and so i'm just gonna start with practice one is configuration management for example git and version control being leveraged in the compliance space today is anyone aware you know obviously with rego right like we can we can store our rego uh our rego uh programs in in a um in a get repository right so that's an example of it is anyone aware of other of compliance and version control outside of opa i would say it's a big component of compliance um auditors usually want to see that you are performing peer reviews we don't want the same person who developed a piece of code being the one to push it in um also you can kind of set up testing throughout an integration testing unit testing using uh github um another piece would be for business continuity purposes the fact that you do have uh the versions available i think there's two very well put let's check the question right there's the is it part of like achieving compliance but is it also being used in the practice of like um achieving compliance does that make sense like you have to is it used as a tool for checking and monitoring compliance as well i think it's what kind of what you were alluding to thomas with talking about rego and and checking in your policies and maintaining those but also uh there are systems out there like um terraform cloud has the the sentry policy that you can apply which will also integrate with your uh infrastructure's code uh and then um polumi also has a policy engine as well that you can plug into your infrastructure's code and manage yeah more and more word there go ahead i was going to say yeah and i'm seeing it more and more right vendors are putting this into like they're like get github is a great example right where you can um enforce policies at github like you can do pre um pre-check-in commits um so like make sure that people don't have um like secrets that they've actually put in their source code and you can actually prevent it from actually being committed right at the right from the get-go um and then also you know like enforcing um um you know like let's say if your organization has a um a policy on that you know like pull requests need to be reviewed by two two independent reviewers then you can actually have that before you can merge so things like that so i'm seeing it in the the configuration management piece um them using that to enforce policy or or at the very least create guard rails i think that's a great great interesting comment you know it's the creation of guardrails and i'm going to ask a question of the team of the presenters um and i'd like to pull each of you and i'm asking this question with my tongue firmly in my cheek is so if if a compliance expert is using um as using configuration management for example git and github are they doing devops and so i'm going to start with you david david yeah i i i think they're you know that's it that's a step on the journey but it's not a complete step um so one of the things that and this is a paradox i'll throw it out there now a lot of people talk about immutable infrastructure as best practice and part of that is you know configuration the problem is there's usually an s at the end of that there's immutable info infrastructures so once you have that um like even in james's world right people have different aws baselines and images that they create that they don't change but they might have 10 of them even to run um you know three or four apps and so if if there's 10 of them are they really immutable or are we just doing some sort of version control around configuration management and the infrastructure that they're configuring so david are you saying yes are you saying no i'm saying uh no i think you had it right uh i'm hedging uh no i would say yes but again necessary but not sufficient well that's that's very good thank you thank you shannon i'm going to go to you what do you how do you feel about it so once again with the tongue-in-cheek is is a compliance officer using github a github a devops engineer or are they doing devops i mean um i [Music] would say yes just from my experience uh i know at armory we we do store uh our infrastructure as code in in a repo and so i would say it is uh it is the thoughts well so i i'm just gonna before i go to uh james and andy i just wanna uh this just once again defined devops right according to david's definition it's a culture of mission focus and software delivery right and so if that is the definition of devops i'm gonna now turn it over to james and get his his answer um james yes no maybe um yeah maybe um and the reason i say maybe is because i kind of uh i fall in the line where i believe the definition of devops is more along the lines of culture and philosophy and it's not a tool right um and so if that's how your company is achieving um you know your policies or you or or whatever you're trying to do and that's what you call devops then yes then yeah you know of course it is but um is it absolutely necessary to do that to achieve devops absolutely not i've actually seen companies achieve devops um in a very non-technical way right you know like um they were actually able to you know like speed up their releases of features and functionalities into you know production environments with with zero changes to technology they they weren't even using a repo you know they basically just made a cultural um understanding like hey we're just gonna go faster in a hot you know and then let the let the um processes kind of like shake themselves out i love that the concept of the importance of speed to devops that really appeals to me personally but i'm going to circle back to that i'm just going to ask andy the last question for the final polling um yes no maybe andy what do you think i'm going to agree with james 100 uh it's possible but that is that is a uh a symptom not a not a cause so i'll i'll say um i believe that uh version control and adequate version control especially with the the advancements of the how advanced github and git are um they are they're prerequisites for devops i think i'm going to say a strong maybe myself um i think i think it's uh i think we all kind of landed there so i'm just going to move along um practice two um according to the devops practices it's continuous integration um i'll just quickly define continuous integration for anyone who doesn't know it's when you build and test your software and um there are various continuous integration platforms out there and what would be an example i guess this is this question is directed towards you shannon um what would be an example of building and testing compliance software um would it be you know once again i keep thinking of compliance as rules infrastructure um and and how do you how do you build that those rules and then test them in a contiguous integration way does that break above is that ring true to you or are possible to you yes um i mean the first thing that comes to my mind is like a grc tool um and i that might just be coming from a more way more compliance end of it but uh grc tools kind of allow you to put your controls in and kind of track towards uh the completion of uh satisfying those controls regards to the continuous integration i'm i mean again from a compliance standpoint it kind of does track your progress as you go along but uh i'd be interested to hear from from the rest of the team from a more devops perspective any thoughts do you i love what shannon said and i i think it's a reminder to us all that the part of these um problems in compliance and compliant operations you need sort of technology assistance along the way but you're largely solving human problems in terms of being compliant with something like one of the sox standards or pci dss and and sort of where we started out in our first poll right so it's i i think technology is part of the answer but you're essentially you need process and people as well and so that's part of what's needed to achieve what shannon has described i think i think if we were able to do a thumbs up maybe or a no i think we were like a soft no i think from what i'm picking up from the yeah kind of a maybe it's not a hard no but i think continuous integration is much a much harder devops practice to enforce in compliance than for example uh configuration management is right configuration management is just obvious to all of us as a potential uh win for devops to be included into a compliance lifecycle i think the config the continuous integration is a little bit tougher um i think the next one is a big it's gonna be a strong yes and that's automated testing right um how can you do compliance without testing right and how can you do testing without automated testing that's really kind of my my chain of thought processes does anyone have any thoughts about automated testing and its relationship to compliance i don't know that it's always being used but i think it is definitely beneficial in the compliance realm whether it's by using one of the tools mentioned like a grc or a compliance automation tool or um even one of the the pipelines that we've referred to adding in that automated testing i mean it's just always more efficient i have to do quite a bit of manual testing in my role and the amount of time i spend on it is is ridiculous so yeah i think it's a big thumbs up big thumbs up has anyone on on this on the call have a um have a background in testing i i just don't know i don't know your background well enough knowing um because i i certainly don't um i was wondering if anyone had a particular perspective on on testing and how it applies to compliance i just wasn't it wasn't sure but if we don't have if no one has any uh background in it or our thoughts are david so i i've been um doing some consulting with a client recently and and they'd actually don't use the word testing here they use uh automated assurance so one of the goals of a security policy framework and uh the mechanisms to achieve it is that you need to sort of continuously assure it and so in order to do that you need to automate your assurance whatever that is so if i listen to what shannon just said about how much she has to do by hand and i'm so sorry you know if if she had automation that was giving her some assurance along the way she'd be having fewer late nights at armory i imagine yeah we'll put um if i'm reading if i'm reading the room correctly i think we're kind of a strongest yes on automated testing yeah it's a very very important practice to continue to compliance right and then uh james to put you on the spot i was hoping if you could give kind of a like a an overview of infrastructure as code again you you covered it earlier i was hoping if you could just just kind of repeat that definition and that explanation of infrastructure as code yeah basically infrastructure's code is um uh codifying your infrastructure using you know like the best practices of um uh you know it's configuration or you know like using uh even a terraform like an hcl language um to define all the resources that you're gonna do and it makes the most of sense in when we're talking about cloud um because cloud everything's kind of defined as um uh as code if you will or as software so what i find fun particularly interesting about your definition was the codification right the codification of the infrastructure the codification of the infrastructure the cloud and whether you're using hcl or whether you're using cloud formation or whatever you're doing right it's that codification of your infrastructure and so i'm going to ask the question i'm going to pull the team again is codifying your infrastructure a form of compliance is that is that good enough for it to be compliant and i'm just going to i'm just going to say i'm going to give a strong yes on that answer that question not to not to make you guys sway you in any way but i'm just i'm just i'm just putting that out there i think just codifying your infrastructure as a form of compliance and so david yates uh did you have a sense for that answer yes i i agree with you wholeheartedly my only ad would be you you better be testing what you're codifying right against your security practices but assuming you're doing a thorough and an automated job of assuring the security of what you're codifying yes i'm good to go yeah and just to double down on what david said um yeah i agree codifying it is one step but you do definitely have to test it otherwise there's you know what was the point in codifying it if you're not going to test it for in in terms of compliance and you alluded to it earlier as well go ahead andy yeah you alluded to it earlier james is that also you not only do you have to test it but you also have to make sure it you don't have drift um because if you don't do that then you're easily falling out of compliance so i'll triple down on what you said and add that so i think i'm going to go to shannon and then we're going to we're going to discuss go ahead shannon yeah i i would say it's important to kind of uh identify your hardening standards uh as as a piece of that and then you can totally enforce that through the infrastructures code i definitely agree that testing it is is huge also locking down the ability to then make those edits so you have a little bit more assurance that that you're staying in compliance oh great point that's a great point so so i just wanted to kind of double down and repeat so we're talking about a one-two punch but we're talking about codification and then the testing of the codification right and so that makes me really rethink uh practice number three which was automated testing right so is if you're doing automated testing of your infrastructure and your software delivery in and and um maybe that's a strong yes now maybe does anyone have any is anyone else rethinking uh number three the uh practice number three automated testing i think we were already a strong yes yeah we're ready for double double strong yes i'm sorry i got like a loss of my my diatribe um gonna move on to practice number four five which is very very um near and dear to my personal heart and that's continuous delivery it's what i do for a living and um you know at the beginning of the session i did go off on a kind of wax philosophical about how continuous delivery is the perfect place to do uh compliance right have the gates and have all these these places and so i'm a very strong yes um and i'm gonna change up the order just to make to keep everyone on their toes so i'm gonna start with andy andy how do you feel about continuous delivery yeah i would agree it's an excellent uh excellent place to be to be practicing you know automation of your your compliance program and really making those checks happen i in my head continuous delivery falls right alongside infrastructure's code because when you deploy software you know especially in a kubernetes world which i always come back to you know you're deploying things just like you do infrastructure you have code that defines what your deployment looks like and you're testing that and making sure it deploys correctly and then you have policy that defines how it should be deployed and so in my head they're not exactly the same but they're pretty darn close great and i'm going to move on to shannon yeah i mean similar to how we uh we talked about at the beginning of the chat i definitely think it can be used as as a tool to kind of further your compliance goals perfect well these are all strong yeses um so far so james is last james do you have a uh a contrary opinion no no i agree with everybody else that's you know the the goal of continuous delivery is to make sure that you have um an artifacts or you have something that's um deployable to production environment for um continuous deployment so um and part of that exit is the criteria is that you know it must be compliant so perfect well well put well put so i think i think frankly i think the next practice number six is arguably the most interesting discussion uh point about the various practices for um for anyone who doesn't know there's continuous integration there's continuous delivery and then there's continuous deployment and continuous delivery has a gate uh you know where you don't push the production unless that gate for example a manual judgment when i would say daniel judgment that's like an armory enterprise thing but when you have a manual step that requires you to judge whether or not to push the production that's really the definition of continuous delivery continuous deployment is you automatically just don't have that gate and you automatically deploy to production and so you need to have all these practices they need to be really strong you need to have infrastructure as code you need to have configuration management you need to have ci you never see continuous delivery all worked out to the point where you're just automatically pushing to production right and so i would argue that continuous deployment if you are trying to achieve it requires more devops more comp ups more compliance than than any than you can even imagine it's just it's just in order to push the production automatically you need to have the best compliance operations infrastructure and practices you can imagine right and so so i'm a a strong believer that it's not like i'm putting the horse before the cart you know you need to have all these practices before you can do can in in compliance in order to do continuous deployment i'm arguing is that i feel like i'm not being clear david yates would you mind kind of clarifying what i'm trying to articulate so i i agree with you wholeheartedly i just want to sort of try and put some shades of gray there so one of the things we talked about at the beginning of this panel was having the decisions around uh security and compliance and devsecops be risk driven or based on risk so i think there are times when that production pipeline you were describing from integration to delivery to deployment can just flow right through but if there are significant changes happening like let's say you're changing your code and your infrastructure at the same time you also want to be able to hit pause and perhaps do a manual judgment when the compliance risk or the production risk goes up and so i actually think you need some sort of adaptable policy there that brings a human in the loop where needed but lets things flow automatically if the risk is low thank you david does anyone else have any um particular thoughts or feelings about this topic about continuous deployment as it relates to compliance i i definitely uh agree with david i think something like that would be awesome uh and and thomas i agree with you too it you really have to have the rest of your ducks in a row in order to kind of be at a spot where uh auditors or anyone else will be comfortable with uh with continuous deployment like you you really have to have those other controls and and uh uh practices that we've talked about in place and and functioning well yeah and i and i would say like in my interactions with customers i think that that um they want to all achieve continuous deployment but then um i don't know if the industry or the um or if their comfort level um is actually there yet a lot of people do like um you know continuous delivery and then they have a checkpoint and then they do you know like um even a human reviewer or something but definitely continuous deployment is something they want to get to it's just um most people just don't have that comfort level yet yeah it's really a um what's the right expression it's really like a moon shot for most companies right it's really the goal or the dream right yeah yeah we'll put james uh andy any any thoughts nothing in particular okay okay um and then i think the last um last uh practice is continuous monitoring and is continuous monitoring just a synonym for compliance i'm gonna go with no tom so we just got a comment from jess again in chat uh and i i'm gonna paraphrase uh uh jess's insight that it doesn't all end with cd right like you have to be looking at what's going on in production and so if you're assuring policy i think james articulated this early the policy stays the same where you are in your dev versus your ops moves and so if you push to production you still need some mechanisms to assure that your policy is being enforced so it's not just about the software supply chain it's not just about ci cd it's also about the continuous monitoring which i think is your seventh principle right it's about assuring that what you have running in production is also secure um and then folks like shannon need to give it the thumbs up and assure compliance along the way yeah and i mean the monitoring is is super important for identifying if something has gone wrong uh after the fact um you can have like a file integrity monitoring uh also monitoring just of the configurations kind of going back to uh practice number one the configuration management like those should be reviewed continually uh if you can get that uh automated continuous monitoring then that's the that's the sweet spot oh well put but yeah and i don't want to conflate like monitoring with um you know like compliance as well right because monitoring has different goals that you're trying to achieve in it right so you may be looking for bugs or you know like downtime things like that slas that may have nothing to do with the compliance and so maybe it's just semantics but don't you don't want to necessarily conflate the two oh well play well but um any any other any other comments we're actually at at the the end um and i just want to wrap up and then we have a giveaway and we have a poll uh to left to to run um so does anyone have any other comments i'm just gonna wrap it up in 10 seconds okay um thank you to all of the attendees and thank you to the presenters uh truly a heartfelt uh thank you to all of you for listening to our discussion today about comp ops it's been a tremendous pleasure i'm going to turn it back over to um our friend um uh charlene who's going to who's going to uh is going to uh do the second poll and is going to um is going to do the the the gift card giveaway as well yeah so let's go ahead and take a look at that polling question before we uh close down the webinar do the giveaway and close out the webinar the second polling question is where is your organization in your compliance automation journey for software delivery you can choose from completed fifty percent automation of compliance operations is a work in progress a ten percent compliance operations is a collection of ad hoc processes uh planning for after 2021 or other go ahead and put your answer in the chat i'm going to go ahead and leave this polling question open for a little bit while i go through the final closing housekeeping items uh just a quick reminder that today's event has been recorded so if you missed any or all of the conversation or if you just want to watch it or listen to it again you'll have the opportunity we will be sending out an email after today's webinar that contains a link to access the webinar on demand and the webinar is also going to be living on the devops.com website so you can always go look for it there just go to devops.com webinars look in the on demand section and it should be right there waiting for you also for anybody who uh did put in a question during the question and answer period that was not discussed during the uh the webinar please know also that uh the fine folks on today's webinar specifically those guys over at armory are going to get a copy of the questions who came that came in uh that was not addressed during the webinar so i'm sure they'll be more than happy to follow up with you offline get your question answered okay uh let's go let's close out the poll let's take a look at the results and then we'll do the drawing for the uh for the amazon gift cards the question was where's your organization in your compliance automation journey for software delivery uh looks like the largest number of folks a largest percentage of 41 percent said that they are only about 10 percent that compliance operations is a collection of ad hoc processes uh the second largest number was 24 who said they're planning for after 2021 so why put off today which you can do tomorrow right um so uh 18 percent said they they're actually completed and then a uh similarly another 18 said that they were at 50 so i i guess that's that's pretty indicative of what we're seeing in the market in general all right guys uh real quick before we do close things down let's go ahead and do the drawing for the four 25 amazon gift cards our first winner today is ruby oh congratulations ruby our second winner today is brian m congratulations brian our third winner today is yuri um congratulations yuri and finally our our fourth winner today is antoine oh congratulations to antoine we'll be following up with all four of you uh by email to get your amazon gift card over to you so please check your inbox and if you don't see anything there please check your spam folder uh shannon andy uh dr david yates thomas and dr james bland thank you all for a great great conversation today lots of lots of great takeaways really do appreciate your sharing your expertise and your thoughts on compliance i also want to thank the audience for joining me today for now this is charlene o'hanlon and i am signing off have a great day everybody and please whatever you do stay safe

Info

Channel: DevOpsTV

Views: 48

Rating: 0 out of 5

Keywords: devops.com, devops, devsecops, continuous delivery, microservices, containers, devopstv, compliance, regulations, compops

Id: CC2t7lp7DjI

Channel Id: undefined

Length: 58min 55sec (3535 seconds)

Published: Thu Sep 30 2021