London Community Summit 2016 - Adopting Chef Compliance
•Download as PPTX, PDF•
1 like•241 views
The document discusses adopting Chef Compliance to automate compliance checks across devices and applications. It recommends defining compliance requirements upfront using sources like the service catalog, device matrix, and lessons learned from past events. This approach allows for faster deployment of compliance, reduces rework, and catches critical issues earlier. Automating compliance checks through Chef Compliance saves significant time over manual checks as an organization scales, reducing unplanned work and risk.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to London Community Summit 2016 - Adopting Chef Compliance
Similar to London Community Summit 2016 - Adopting Chef Compliance (20)
More from Chef
More from Chef (15)
Recently uploaded
Recently uploaded (20)
London Community Summit 2016 - Adopting Chef Compliance
- 1. LEGACY IS NOT A REASON TO STAND STILL.
- 2. OUR APPROACH WITH ADOPTING CHEF COMPLIANCE
- 6. OUT OF THE BOX Center for Internet Security [CIS]
- 7. BUILDING ON SOLID FOUNDATIONS regulatory FSA PCI Best Practice Lessons Learned
- 8. DEPLOY COMPLIANCE FIRST Speed Faster to deploy Accuracy Reducing rework Risk Reducing unplanned work A quicker ROI back to the business through By defining your compliance requirements first you gain insight into what is important to you
- 9. SO WE WENT FOR IT....
- 10. We need to write a compliance profile for all the devices we have in production. If a customer has suffered a service outage then we should write a control to know where else we are exposed.
- 11. INSPIRATION FOR WHERE TO LOOK Service Catalog [targets] • Device Matrix • Application List Best Practices [compliance] • Build Standards • Setup Guides Lessons Learned [compliance] • Previous Events • Front Line Go Broad and Shallow Don’t boil the ocean :)
- 12. TIME SAVING Manual 15 min 100 devices Automated 1 min 100 devices 100 Minutes 3.125 Man-days
- 13. 100 Critical Issues Found across 1000 devices REDUCING UNPLANNED WORK 1 Critical Compliance failure = 8 Hours of unplanned work 100 MD worth of unplanned work. All these grow as you scale out, delivering real benefit.
- 14. Blank Example 2
- 16. Adoption with Ops is key
- 17. DRIVING ADOPTION Get their Buy In what one thing? Integrate
- 18. OUR SINGLE BIGGEST CHALLENGE Reporting don’t underestimate its importance find the right medium that works for your customers
- 19. • Baseline compliance • Offering insight Out of the box • Best Practice • Lessons Learned Extendable • Reduce rework • Reduce risk Fast ROI IN CLOSING
- 20. Remember to take people with you Broad and shallow One idea sprints IN CLOSING You’ll launch the product and have people use it
- 22. Blank Example 1
Editor's Notes
- Who are you…… What do you do….. Who do you work for …. What do they do….. Last year….
- Was my first community summit. I was just a face in the crowd, in fact if you had told me last year that I would be standing in front of you, I probably wouldn’t have believed you :) I came to find out about a product but what I found was much more than that I left the summit feeling very much welcomed into something bigger, my hope for anyone leaving there first today feels the same way The Highlight for me for me was the announcement ….
- … for me this is a Lightblub moment With Inspec we instantly saw the Potential value to the business and our customers
- Out of the box we got access to a Swiss army knife of features, Key Part was alignment to CIS And having the ability to scan to that standard, We had tools that did a similar thing but they where proprietary and typically different across multiple platforms, so having a consolidated view was key Regulatory compliance is Important, we need them in the markets that we operate in. But Speaking to our clients, looking at our own experience, we saw that compliance can be more than that
- Build on foundation of regulatory compliance Build compliance around the things that fall outside those standards Build standards Lessons learned These excited us far more and for that reason
- So the idea was that our first step with chef was to deploy chef compliance first We saw a quicker ROI back to the business through (Speed to test compliance) - Faster to deploy (being agentless) And Go after two key areas Reducing rework & unplanned work Side benefit Functional requirements… By defining your compliance requirements first you gain insight into what is important to you and acts as a blueprint for your automation goals later
- Split between targets and compliance checks Device Matrix – Firewalls, Routers. Hypervisors SAN, Backup Infrastructure. Application list – Think about each item in your management stack Internal build standers (internal security guideline) Setup Guides – Hand offs between teams Phase gate process were someone has to manually has to check something is ready? Past outages, interview with the frontline, attending a war-room, on call staff, service desk all examples of where you can get the checks from.
- Time Saving = Manual check over automation High velocity clients, 100s of RFCs day. Manage Service providers
- We redefined what a critical failure (in chef compliance) means to us Try and Understand what it means from a level of unplanned work. So 8hours was our estimate of what makes up a serv 1 outage. Your breakdown might be more or less, maybe we undercooked when you consider handoffs etc. All these grow as you scale out, delivering real benefit. So you’ve created some measures but you now have to choose to a path to proceed.
- choose the wrong way and you run the risk of being one of the most hated people in your company…
- The Logic here is You choose and then identified a number of failures, great but the execs are now getting nervous that they are sitting on potential outages, and Ops hate you as you are giving them more to do How do you solve it?
- Don’t sit in an ivory tower Like a good chess player thinking x moves ahead, before you begin to sit down and write the first control consider, who benefits from it, who is going to receive, who is going to correct it. Adoption with Ops is key and you that …. By driving adoption
- So you start where you are going to get buy in Ask the question (What one thing.) Get them to choose what they are about to and have to fix, they will chose the highest impact thing as it was their support it through to resolution One Idea Sprints* To support this create a mechanism to pass the information to operational team that is Integrated into their working processes, don’t create a new way of working it will get sidelined Once you have one in the bank, building that culture has begun -
- Importance of reporting Our biggest challenges and criticisms about the product Challenges, around multi tenant reporting, mobile device support. Integration into our existing portal So to over come that we took the data from the compliance and imported it to PowerBi The examples on the docs website can help you achieve the same, they are well written and the examples are clear, even for a windows admin like me.
- Baseline compliance, Extendable, this is where we took it, You may have other ideas, if so please share them Lessons learned – Giving back to ops and reducing your technical debt
- One idea sprints – Ask the question, Release and iterate Go Broad and shallow Remember to take people with you – Work with them don’t just write a compliance report leave it on the doorstep of ops, ring the door bell and run away :)
- Thank you, I hope this was of some help. Feel free to contact me if you have any questions