Today in IT, the need to maintain security and governance is often at odds with the imperative to move quickly. At this year’s ChefConf, compliance and security were topics of much discussion among presenters and attendees alike. Enterprise IT teams are adopting a new way to deliver experiences for customers safely and quickly: by expressing compliance and security as code. This brings regulatory protocols into the build process earlier, allowing teams to deliver infrastructure and applications at velocity.
We caught up with Michael Hedgpeth, Senior Software Architect at NCR Corporation, to get his thoughts on how to marry these seemingly conflicting priorities.
The reality is, there needs to be a partnership [between security and dev teams] and the only way that they’re going to be able to audit at scale and velocity is if they automate that audit. Our security people have really gotten that and are getting behind Inspec,” said Hedgpeth. “But that does fundamentally change their organization from that of spreadsheets and manual checking or scanning with software to coding, checking things in, and being a part of the development pipeline just like everybody else is.
There are few organizations that understand this need to bring compliance into the pipeline better than SAP NS2, which specializes in providing the SAP portfolio to federal organizations. Cheerag Patel, DevOps Manager at SAP NS2, says his organization meets this need by looking at the workflow holistically and incorporating compliance into the process from day one. Approaching compliance as an endpoint can cause trouble because if you build environments and then add compliance, those environments will often break because they weren’t designed with security in mind. Instead, Patel recommends implementing security controls at the outset of the workflow.