If you could do one thing to minimize risk and maximize financial gains, it would be compliance-as-code.

Highly-regulated industries must not only be compliant with many regulations, but be able to demonstrate compliance.

  • Do you know the status and configuration of every single machine in your estate, right now?
  • Can you easily scale how you gather and embed compliance requirements into your SDLC across your entire organization?
  • Does your security team know what your development team does?
  • Does your development team know what your security team does?

These questions are difficult to answer and they have serious real-world implications.

What are the implications of poor compliance?

Lower revenues and higher risk!

For example, if you can’t provision a server or go to production because a compliance issue has suddenly arisen at the last minute, you are losing money. By streamlining the compliance process, innovation and time-to-market are accelerated, and revenue is likely to increase.

Similarly, the modern security risk to large enterprises is so high that you could lose an eye-watering percentage of your market capitalization. Accordingly, in this era of cyber insecurity, one of the best ways of making money is not losing money. Thus, simply by not being Equifax, companies can make more money than the competition.

What Is Compliance as Code?

Compliance-as-code means defining your compliance requirements in a human- and machine-readable language. Configurations can then be automatically deployed, tested, monitored and reported on across your entire IT estate.

You can do one Inspec test across 100,000 servers and learn more about your compliance and risk posture in a single day than your security team learned in the last ten years.

Let’s get nice and specific about what compliance-as-code actually can bring to your organization. 

1) Know exactly what’s going on across your IT estate at all times and report this immediately

Using compliance as code you can know exactly what is deployed and with what configuration at any point in time. You also know what deviations any machines exhibit compared to standards and policies. The ‘acceptance criteria’ for any build can be built into your pipeline and recorded in your corporate log. 

The above points mean that you know your risk exposure at any time. 

You also have a historical record of everything that has happened across the delivery lifecycle and can use this to provide anything that regulators could ask for.

2) Help both risk and development teams do their jobs better and faster

Once security teams have done the (admittedly tough!) work of translating their enormous compliance binders into scripts and templates, they can scale properly across the organization because their concerns are baked into policies. 

Once development teams are given the freedom to easily consume compliance rules that exist in a language they can use (code), they can deploy more quickly and without unnecessarily bothering the security guys, who are free to press on with more difficult challenges.  

3) Demystify how to go to production

Compliance-as-code helps enterprises to articulate what it means to go to production. 

When everyone knows what ‘done’ looks like and what the state of the delivery pipeline, the path to production has been cleared. There are zero surprises awaiting the development team and, if they’ve done their job properly, it’ll get through. 

Why Compliance-as-Code Is the Single Most Transformative Step You Can Take Towards Enterprise DevOps

In this white paper, we’ll look at how compliance-as-code can help you to translate siloed compliance knowledge into simple code that can be scaled effectively across your company.

Download the White Paper

4) Make change a non-event

Once production has been demystified, making changes suddenly becomes a non-event. 

You spec out the requirements, write the code and deploy it safely.

Say there was a zero-day vulnerability that required a change in policy or standards. Devs can update the Ansible or Chef script and now identify vulnerable machines. You can subsequently push fixes through the pipeline a lot faster because security standards are integrated into business requirements.

5) Help subject matter experts (SMEs) to add 10x more value

Security experts are thin on the ground. 

Your security experts should not be wasting their time patching machines. They should be concentrating on really difficult, scary questions that require real expertise and can’t be solved by writing automated scripts. 

Automate the low-hanging fruit and you turn your security team from a disciplinary function into an auditing function. Security-as-a-service, almost! 

6) Scale the biggest bottleneck to security: making standards easy to consume

It doesn’t matter how fast you code if no one knows the proper security process.

Compliance-as-code takes the tightest delivery bottleneck (reading the 40 page compliance pdf) and makes it instantly scalable by translating it into automated scripts.

All of the above translate into concrete business objectives:

  • Reduce the cost of managing, auditing and ensuring compliance
  • Generate data for audits much more easily and quickly 
  • Accelerate time-to-market
  • Stay safe at speed and scale 


DevOps Insights Directly to Your Inbox!

Join thousands of your peers and subscribe to our best content, news, services and events.

Cliff Almond

Principal Consultant

Cliff is a versatile and highly motivated software delivery consultant specialising in DevSecOps methodologies and tooling in the enterprise financial services space.