Companies struggle with all types of compliance issues. Failure to comply with government regulations, such as Dodd-Frank, EPA or HIPAA, is a significant business risk for many companies. Internally mandated compliance also represents problems as well. Security and cost control policies are just as vital as other forms of regulation since they protect the company from reputational, financial, the operational risks.
IT Helps to Manage Compliance Risks in Two Ways
- First, by deploying systems that detect and assist the company in complying with risk. For example, an analytics system designed to discover Dodd-Frank violations in a bank is a way for IT to help remove some regulatory risk.
- The second way is to design systems that are compliant with internal and external regulations. That may mean configuring networks such that they address common security holes or data storage so that privacy is maintained. Systems must be configured to meet the needs of regulations and policies.
The Limits of Design-Based System Audits
Systems in place can be audited using a variety of tools that match the system state to policies and detect areas out of compliance. The problem with this approach is that it is post-hoc. Finding compliance issues in production is good but finding them before they are in production is better. Pre-production audits often rely on design documentation. This is a limited method because last-minute changes or mistakes with configuration can lead to the final state diverging from production.
Infrastructure as Code for Proactive Compliance Audits
This is where Infrastructure as Code (IaC) can be helpful. Central to IaC is the idea that a plaintext script – the code part – describes the desired state of the system. The automation server then configures the system to the state indicated in the script. IaC systems may provision and configure both hardware and software components.
IaC presents an advantage when auditing for compliance. The script is the documentation and what is in the script will become the final system state. This makes it easy for compliance and security professionals to understand the system state before it is created. They can then analyze these scripts for potential violations of policy and prevent them from becoming part of the production system. Using IaC allows companies to more easily move from reactive compliance to proactive compliance. Non-compliance can be detected early and corrected before entering the production state. In rapidly changing environments, this is a safer and quicker approach than detecting problems after the fact and correcting them while in production.
Dealing with regulatory, security, and operational compliance at scale is much becoming more difficult as policies proliferate and systems become more complex. IaC is a tool to deal with systems and their compliance issues in these environments.
Note: Representative vendors for providing Infrastructure as Code include Amazon, Canonical, Chef, HashiCorp, IBM, Microsoft, Puppet, Red Hat, and SaltStack