The guest blog post below is written by Rezilion, one of our ChefConf Online Sponsors.
Legacy approaches to software compliance and security often involve preventive controls that are time-consuming and require manual processes and workflows. Things like access policies, procedures, standards, and network firewalls are cumbersome and restrictive, they were designed for less flexible development methodologies and relied on long time cycles, which are incompatible with DevOps.
Together, Chef and Rezilion have partnered to apply the same core principles of DevOps that enable delivery of rapid consistent changes across environments to compliance and security. This includes collaboration, automation, continuous testing, and continuous improvement. We believe cloud workload protection and compliance automation is the right way to integrate security and compliance into the developers’ world (rather than the other way around) by removing manual execution steps, minimizes the potential for human error, and enhances consistency, traceability and auditability. As a result, the variability between immutability and security is greatly reduced — providing developers and security practitioners with a mechanism that ensures services and apps are running in a healthy and compliant state.
Desired State Enforcement
If you’re reading this, it’s probably safe to assume you know that Chef InSpec is the ideal framework for testing and auditing your applications and infrastructure. As a cloud security posture management solution, InSpec sets the compliance and security baselines for your organization — the broad standard of what your services and applications should be doing and how they should be behaving. InSpec makes sure your organization factors your security and compliance policies into each stage of development.
Rezilion is a cloud workload protection platform that analyzes your CI/CD pipeline and turns code into a security policy, establishing an automatic governance that enforces developer intent, or desired state. We do this without heuristics or machine learning, by the way, because those methodologies can’t keep up with the rate of change and pace of scale in modern DevOps environments; baselines are a thing of the past. What we’ve done is take advantage of the declarative nature of modern development languages and modern frameworks and modern architectures, we analyze the CI/CD pipeline and take all of that declarative intent — we call it desired state — and use that to build a notarized superset of permissions. We automatically generate a profile of what should be running because we fundamentally know how the developers architected these services. Rezilion takes this declarative intent and uses that to then populate a policy that we enforce at runtime using your existing immutability mechanisms (i.e. health checks).
Continuous Adaptive Risk and Trust Assessment
With Chef and Rezilion, you can ensure that your production environment matches what should be running according to spec. Chef continuously ensures compliance, Rezilion continuously ensures runtime protection. And even if you’ve got a vulnerability in your runtime environment, were someone to take advantage of it and try to orchestrate a breach or elevate their privilege, Chef Compliance with Rezilion will treat it as a failed healthcheck and, with the help of Chef Infra, the infrastructure itself will heal the application and will enforce the developers’ intent and bring the app or service back to a healthy state. We’ve recently done a webinar with Gartner that covers this in more detail.
The coolest aspect of all this is that it’s turnkey. No manual tuning or administrative tinkering other than deciding what to do when a service is compromised. It doesn’t take much to add Rezilion to Chef Compliance and see it at work in your environment. Check out a demo and let us know what you think.