How to Release Faster While Remaining Secure and Compliant
Sep 16, 2019
Many enterprises can't afford to "Move Fast and Break Things." Security and compliance are major concerns, however, they shouldn't stifle a DevOps transformation.
- Dave McJannetCEO, HashiCorp
A common question we get is around the topic of compliance. We get the question from, large banks or large healthcare companies, or companies that are accustomed to being regulated industries. Their auditors require that they know where everything is at all points in time. They also are required to know the security posture of everything that they're running at any point in time.
Now, the paradox of that is, in this ephemeral way that people run infrastructure today, it's very difficult to know what I have running all the time. It's very difficult to be able to say, "This is what is running," because 10 seconds later it'll be something else. Very, different from the old world that we're all accustomed to.
This is not any more profoundly obvious than in the security world where there’s a whole ecosystem of companies that are trying to build cloud security monitoring products to say, "Hey, let me give you a real-time view of the security posture of everything in your account. Therefore, this one is flagged as red. This one's good, this one's bad. Now go and correct the things that you have out there."
It's very much after the fact. I think the self-service notion of people provisioning infrastructure is that it has created a problem where now I can provision things that may or may not be compliant. Our view is the opposite, which is, “let's start with compliance as the principal.
Let me codify how things get deployed, how they get their secrets, how traffic is routed to them in the form of Terraform templates, Vault policies, and Consul policies so that nothing ever gets deployed that isn't compliant. Nothing ever gets deployed without us knowing where it is”.
It's this conceptual shift from, after-the-fact remediation—which is I think what many people have gotten into by virtue of not stepping back and creating that central foundation—how do we go from this after-the-fact remediation to this before-the-fact compliance? Because the world we're all trying to get to is, "I want my teams to be able to deploy the application 50 times a day if that's what's required. I want to make sure and be comfortable that all 50 of those times that application is compliant and the infrastructure that relies upon it's compliant.”