No doubt about it, keeping IT systems in compliance can be scary. It doesn’t matter if you’re trying to keep systems in regulatory, security, or even site compliance. The challenge of maintaining compliance is being able pull systems into compliance if they drift. So, how do you automate compliance?.
What is DevOps compliance?
Ultimately, It just means that you follow your own rules. Perhaps you have an obligation to follow regulatory or security compliance rules, .Perhaps your organization has set rules for your sites because they represent good practice. Regardless of the reason, the goal of compliance is to follow the rules that you’ve set.
Maintaining compliance can be broken down into three basic phases:
- Take actions that comply with the rules.
Surprisingly, it’s very hard to do because you have to have a system that can understand the rules, follow the rules and then encode them into standard operating practice. And we’re not talking about people following the rules, we’re talking about automation and systems that follow the rules.
- Report that you follow the rules.
A big part of compliance is the ability to show that you’ve done the work. Just following the rules is not enough to be compliant. There must also be accountability. You need to be able to prove that the rules were enforced, when they were enforced, who enforced them, what was done, and, importantly, if they couldn’t be followed.
- Repeat steps one and two
A big part of keeping in compliance is automating steps one and two so it’s effortless to repeat the process. It’s also critical that repeating the process is non-destructive so that you check a system without risk to reassert compliance. That encourages frequent re-validation.
It’s not that easy to automate compliance
There are times when following these three steps to maintain compliance can be very difficult. For example, in RackN customer scenarios, we have to assert that the BIOS configuration and the security posture of the systems have remained intact. To do that, we need to reboot the running system into a discovery state, confirm that the systems haven’t changed, or update them if they require patches.
Automate compliance – what’s the secret?
The secret to automating compliance is to always treat the compliance scan as a possible place to update and change the system.
If you need compliance (and everyone does),do not decouple validating compliance from enforcing compliance! A monitoring system that only tells you that you’re out of compliance is only helpful from a checkbox reporting perspective. This type of system doesn’t accomplish the first goal of compliance: take actions that comply with the compliance rules. .
When RackN enables compliance automation for customers, we automate both set and check phases as default workflows. That means the standard operating processes check, report and enforce compliance every time they are used. That way customers know compliance is part of every infrastructure workflow for every system.
When you make compliance part of the standard process, the effort of compliance drops to nearly zero. This means if a compliance issue is raised, its al “pull the Andan Cord” type of event. If you automate compliance, your operations teams are freed up to deal compliance events as true escalations that need immediate attention.
Check out the free RackN trial to test out building your own automated compliance system.
Suggested Reading: Gartner’s 3 Steps to Ensure Compliance and Audit Success With DevOps (March 2021, Subscription Required)