– Former US Deputy Attorney General Paul McNutty.
Introduction
Continuous DevOps practices encompasses an end-to-end uninterrupted collaborative environment where not only do developers and operations work together but it also includes every business stakeholder. The emphasis is to “co-create” products and services that are deployed within the fastest time to market in the lowest possible cost.
This provides increased business performance overall but CIOs cannot speed up their deployment of products and services in an unruly non-compliant environment as the consequence of compliance failures a dire, with fines, deterioration in customer confidence or brand damage to name a few.
Within the evolving DevOps world, adherence to compliance, whether they be industry independent regulations such as ISO27001 or SOX; or industry specific regulations such as HIPPA or PCI-DSS; or simply compliance best practices has become a very complex endeavour. This is due to the ever increasing pressure of mobile and agile working demanding anytime, anywhere access to the widest range of apps and devices. Furthermore, the added use of cloud services, whether private, public or hybrid are promoting further innovation and agility which further complicates the environment. Also note the increase of cyberattacks in this agile world further threatens businesses everywhere.
CIOs are therefore under great pressure to deliver effective IT Services and Products that deliver improved business outcomes. Protection of IT Services and Products is a fundamental priority for the CIO.
Assimilating the basic DevOps Continuous principle into Compliance will ensure that IT outputs and outcomes are compliant, whist retaining the core benefits of DevOps. Continuous compliance is about achieving compliance on an ongoing basis. It is about developing a culture and strategy in an organisation that continually reviews its compliance position to ensure they are meeting its industry and regulatory demands whilst maintaining secure systems, and this needs to be done within both top-down and bottom-up environment.
Continuous compliance cannot be achieve simply by getting developers and auditors to work closely together, it is all about Culture just like DevOps is overall. It needs people, processes, tools and behaviours to come together in order to achieve a steady state of continuous compliance. As you can imagine this is not easy, especially in organisations where regulations are subject to interpretation, which is why continuous compliance needs a step-change to how compliance is managed across the organisation.
Continuous compliance involves an organisation-wide strategy and focus in order to be delivered effectively.
These Strategies will help the CIO meet these challenges
1. Define Security and Compliance Goals.
The first step of course is to understand your security and compliance objectives both immediately and in the future. A security and compliance strategy needs clear decision making, management and accountability of the continuous end-to-end organisation. Therefore, use the Continuous culture to involve all stakeholders, in particular Security experts and auditors to define a structured well-thought out security and compliance plan and stick to it.
2. Identify, classify and document.
Most DevOps environments have inherently within them a variety of automated tools that collects, records, organises and even some analyse how the systems functions and are being used. So understanding the amount of data that these automated tools hold, manage and produce is of critical importance so that the right data is reported to whatever compliance regulation needs to be reported to. However, this is not the only requirement in compliance. It is essential that “all” the rules affecting the DevOps teams end-to-end process are understood and documented. Make sure that all the stakeholders are aware of what your organisation needs to comply with and how you go about doing so. For instance when adhering to Sarbanes-Oxley a key principle is its SoD – Separation of duties which provides protection from fraud and errors. Within the continuous world we cannot ignore this principle.
3. Understand Automation Usage
Within any development environment, DevOps is no different, most developers understand what is important and why and will therefore try to automate those tedious and mundane activities. You normally start by looking at repetitive tasks such as approving requests by multiple approvers, CI/CD thresh-holds, audit-trails that automatically log build, test, and deploy results, etc. The key is to capitalise on those automation tools (ie tools for reporting, data-collection, backups, license tracking etc) that implicitly provide compliance without getting in the way.
4. Document DevOps Stack
The DevOps tools market is still evolving with a myriad of tools available to do the same thing within this continuous collaborative environment. Irrespective of which actual tools you use how fast your environment adopts it is a function of personal preference and your own DevOps Evangelistic prowess. However, such evangelism sometimes leads to tools that are not needed or only used once, a proliferation of tools to do the same thing, and generally tools competing with each other for control. The tools that you use must fit into your environment, needs and integrated into the whole by defining, agreeing and aligning them to your compliance requirements. Have a real reason for the tools, then use that reason to document the need and how it adheres to your compliance requirements.
5. Align DevOps to Security Policies
Within the continuous DevOps environment security is integrated by default. Some prefer to define this as DevSecOps to ensure that the “security” is not forgotten. It is a mind-set cultural problem that dictates the need to ensure that every stakeholders owns part of the security need. Security experts must work collaborative with development and operations providing them with understanding of the relevant policies and how to adhere to them. Security experts must also align their practices to align to the continuous environment providing agility and support without post-mortems that seek to blame culprits of failures but work together with DevOps to identify issues early and fix before they become an issue.
6. Continually Review
Continuous review strategy is part of the DevOps continuous improvement process - an on-going process to improve the final outcome or deliverable. These review items can be incremental over time or addressing an official audit. For instance, best practices shows that within the continuous review environment of DevOps you can have – daily checkpoint reviews ( open quick discussions that address the problems of the day), or weekly discussions ( providing an overview of a specific activity – addressing what is working well, how issues can be fixed and what lessons can be learned), or even more formally monthly meetings (these sessions sets out the overall direction and understanding of the final outcome)
The outcome of these review processes is the constant evaluation and change, so that further improvements can be developed and applied continuously.
Overall it is a journey, not a specific end game. Continuous Compliance is synonymous with DevOps as it works concurrently with the DevOps Culture, its principles and outcomes. DevOps does not negate the need for good governance and standards and consequently there will always be a need to use good standards such as ITIL, ITSM, etc.
For CIOs, this is essential in facilitating them with the right level of safeguards whether with or without DevOps. The added scenario within DevOps is the use of good effective automation tools that complement compliance. Hence, the value of DevOps is quality with speed through automation and security via automated testing.
For more information on the development of strategic roadmaps for DevOps within the enterprise engage in:
- HPE Transformation Workshops or
- DevOps Transformation Experience Workshop through our Strategic Customer Engagement Centres or our
- DevOps Workshops, include DevOps Awareness
– Winston Churchil
Gets started with DevOps and your transformation today by visiting our HPE Pointnext Website.
Featured blogs:
Mario Devargas
WW Strategic Transformation
Hewlett Packard Enterprise
twitter.com/MarioDevargas2
linkedin.com/in/mario-devargas
MarioDevargas
CIO Advisor, World Wide Strategic Transformation, Governance & Operations CoE -- Mario is sixty+ year-old Spaniard with English undertones – living in Preston, North West England. He has worked in the Information Technology field for over 35 years, most recently in the Public Sector as IT Director for a Northern UK Metropolitan Council and as CIO for the second largest Police Force in the UK. As a Senior Executive he majors on advising organisations on Corporate IS Strategy, Enterprise Agile, DevOps, Collaborative Shared IS services and building and leading high-performing IS teams.
