Protecting Your Customers' Personal Data With Infrastructure Code

Ryan Shriver discusses how to stay compliant and protect your customers’ data, using infrastructure as code and modern tools like Chef and AWS.

by Ryan Shriver

Recently, Dave Tashner and I attended an event in Washington, D.C. hosted by one of our DevOps partners, Chef.  Titled DevOps Transformation & Compliance, the session focused on assembling a community of progressive leaders who view compliance and auditing through a new lens: DevOps. Using infrastructure code, along with modern tools like Chef and AWS, is enabling organizations to verify their compliance every minute of every day in a transparent way. 

Organizational Challenges

In the spectrum of negative customer experiences, a slow web site or poor service call is one thing. Having all of your customer’s personal information made available to hackers due to negligence is entirely another. As you may suspect, making the connections between compliance and customer experience is not a hard one. Even so, modern organizations often struggle with this.

According to a NY Times article from June, “Half of American adults had their personal information exposed to hackers last year alone.” The article lists 25 high-profile organizations that have experienced recent data breaches resulting in exposure of their customers’ personal information. It goes without saying this is one list your organization does not want to be on.

The challenge today is that while many industry standards and regulations exist including PCI, HIPPA, CIS, FedRAMP and numerous others, staying compliant every minute of every day is a daunting task. A single slip-up can open the door for hackers.

Businesses change everyday and no matter how compliant you become it is only a snapshot in time. As the 2015 PCI Compliance Report reveals, organizations often make large investments to become compliant with regulations when the auditors show up, only to let their guard down when they leave the building. “Less than a third (28.6%) of companies were found to be still fully compliant less than a year after successful validation.”  

This is where the DevOps concept of infrastructure as code enters the picture.

Infrastructure as Code

One of the core principles of the DevOps movement is that your organization’s infrastructure (data centers of computers, storage devices, networks and databases) should be defined in infrastructure code. Provisioning and configuring new infrastructure or updating existing infrastructure is a matter of running code, ideally together with automated infrastructure tests.  Just like app code, infrastructure code is stored in version control and backed up regularly.

Managing configuration drift is a change management and auditing challenge when managing hundreds or thousands of app environments across multiple data centers. Today tools like Chef, Puppet and Ansible are focused on these problems and organizations use these tools to install web servers, app servers, database servers and any custom components needed by their apps. This configuration is not just done once when the server is initially provisioned; these tools maintain this configuration throughout the server’s lifecycle until decommission. If a server’s configuration changes from the defined target state, these solutions detect this drift and bring it back in line automatically.

What the speakers and presentations at the Chef event made clear was these same tools are now taking an aim at the critical-but-often-boring topic of compliance; a space filled with detailed regulations, thick binders full of paperwork and complex manual processes that are hard and costly to fully implement.

Compliance and Governance with Infrastructure Code

In the future the same tools used to manage configurations can also help you meet security compliance in an automated fashion - by running infrastructure compliance tests against your servers continually. These tests codify specific compliance requirements or security standards, such as validating specific services are running (or not), specific security controls are enabled or ports are closed. They may run once a day or once an hour, your choice.

Each run on each server produces is a detailed report of which compliance tests passed and which ones failed. The results for all your servers in all your data centers are passed to a central portal that provides leaders and teams accurate information needed to address specific compliance issues. When teams fix compliance issues, the results are immediate and visual.

This approach represents a paradigm shift to managing compliance in the modern organization and has the potential to drastically reduce the time to detect and fix compliance problems. These capabilities could save organizations millions in compliance and auditing costs while simultaneously improving compliance validation.

So how would this work in practice? Here is a snippet of infrastructure code that validates a specific PCI compliance rule, from one of the presentations:

PCI Compliance Slide 

This is infrastructure code written in Ruby from a Chef Cookbook. In Puppet this would be done in a Module and in Ansible a Playbook.

Now, imagine a set of cookbooks/modules/playbooks that in their entirety can validate all of your servers in all your datacenters are PCI compliant when they run. There could be another set that validates your servers use CIS best practices, and so on. Every compliance standard or regulation your organization faces that could be validated with code would be done in this way.

Taken one step further, imagine if these cookbooks/modules/playbooks were open sourced for the world to use for free? Industry professionals would build them and auditors would actively review them. Organizations could have off-the-shelf infrastructure code for ensuring they are protecting their customers’ sensitive data in the most secure way possible, every minute of every day.

Combining these solutions with a cloud provider such as AWS means your teams are able to take advantage of the elasticity of the cloud while simultaneously ensuring your servers and app environments are continually audited for compliance in a transparent way.

The Path Forward

At SingleStone, we believe protecting your customers’ personal information is more than just a compliance checkbox. This is something organizations need to take seriously if they hope to have the lasting customer experiences that drive long-term business results.

Just one public breach of customer data for your organization undermines all of your customers’ confidence and trust. It also hits your organization in the wallet; just ask Target, who spent over $105 million to fix their data breach including $10 million to settle a class-action customer lawsuit. Sony, Home Depot and Anthem have also suffered similar fates.

For the modern organization, infrastructure code is the future of security compliance and governance. Thick paper binders and extraordinary manual processes will be replaced with automation and code that scale. Your talent will spend time proactively monitoring and addressing compliance issues, not filling volumes of paperwork and stitching together a potpourri of specialized compliance tools.

Want to learn more about configuration management, the cloud and continuous delivery? Let’s start a conversation. Schedule a chat with one of our DevOps experts today.

Learn more about our Cloud and DevOps solutions.

Ryan Shriver
Cloud and DevOps Lead
Contact Ryan