Chef has, ever since the cloud was invented, focused on automating infrastructure. Back in the early days of cloud that was a fairly simple thing to achieve: just set your standard server specification and watch as your virtual servers were spun up to that spec. Chef was a pivotal player in the DevOps movement, the idea that infrastructure shouldn’t be a barrier to organizational agility and that by bringing the development and the operations teams closer together, magic can happen.
Fast forward to today and Chef is still doing essentially the same stuff, but in a world which is hugely more complex. The rise of containers, the various container orchestration platforms and newer innovations such as serverless computing has resulted in “automation” meaning something different to what it did back in the day. Chef now calls itself an innovator in cloud-native operations and is trying to parlay its early success in the virtual server world, into continued success now.
It’s eponymously named product handles the infrastructure management, while Habitat is the toolset for cloud-native operations. Finally, Chef has InSpec, a compliance product that aims to resolve the issues around greater agility resulting in more risk.
The company is announcing the latest version of InSpec and talking up the multi-cloud and third-party integrations that are included. Chef is pitching InSpec as the first link in a continuous chain of “detect, correct, automate” tools for cloud migration and automation. InSpec’s raison d’etre is to help organizations maintain an up-to-date view of compliance status in production, detect security issues before they reach production and reduce risk.
In practice, InSpec is an open-source language for describing security and compliance rules that can be shared between software engineers, operations, and security engineers, the result being that compliance can happen across the various stages of software creation and operation.
New Capabilities for InSpec 2.0
- Cloud configuration compliance: InSpec 2.0 gives users the ability to write compliance rules against any element of their cloud configurations, including AWS and Microsoft Azure, with user-defined custom compliance policies.
- Improved user experience: InSpec 2.0 contains more than 30 new resources, allowing users to write compliance rules for many common applications and configuration files without any programming knowledge required. These include Docker, IIS, security keys (RSA/DSA/x509), NGINX configuration packages (both system as well as Perl/R/etc.), PostgreSQL database configurations, XML config files, XPath matching, ZFS storage pool configs, and many more.
- New integrations: InSpec results can now be exported as JUnit format for integration into continuous delivery tools such as Jenkins, and can pull compliance profiles from Chef Automate. Previously-announced integration with Amazon Systems Manager (SSM) provides a frictionless on-ramp to InSpec in the cloud.
- Improved performance: InSpec 2.0 runs 90 percent faster than InSpec 1.0 on Windows and 30 percent faster on Linux.
But why?
It’s not just for the sake of ticking boxes. The breadth and variety of government regulations are increasing in number, complexity, and impact. Examples such as PCI in retail, HIPAA in healthcare, GDPR for personal data in EU, are examples of an increasingly regulated environment. And the costs of getting it wrong are high – PCI-related fines range from $5,000 to $100,000 per-incident, per-month; fines of up to $1.5 million can be applied for HIPAA violations and GDPR-related fines can rise as high as 20 million EUR, or four percent of a company’s annual revenues, whichever is higher.
MyPOV
Delivering compliance as an integral part of the DevOps process is smart as it avoids the generally siloed nature of tools such as this. So InSpec, as it stands, is a no-brainer. My questions for Chef relate to its position in the cloud-native world and its ability (or otherwise) to strongly move from a server-centric view of the world to an outcome one. Chef is making good progress on this journey, but it’s no slam dunk. It will be interesting to look back in a few years and see how this space is doing.
