DevOps has become a critical tool for IT / Technology organizations to transform their delivery organizations in order to achieve Digital transformation objectives. While DevOps practices and tools are aimed at increasing IT’s capacity to deliver at high velocity by integrating software development and operations processes, many organizations feel that achieving compliance with regulatory frameworks such as SOX, PCI and HIPAA is a nightmare. Many fear the introduction of new risk that they do not have the necessary know-how to navigate the requirements from these regulations in the context of the functional DevOps environment.
Certain regulations widespread across industries and some are specific to certain industries, for example, HIPAA for healthcare. There is a general benefit that regulations aim to provide, however they are sometimes can be too cumbersome to comply. The rapid pace of change that DevOps promotes may be seen as an area where any inclusion of controls would outweigh the benefit of velocity. The interesting aspect that the very nature of DevOps is to drive agility and automation which makes the process of integrating compliance requirements within DevOps delivery pipeline is a breeze. Thus, DevOps inherently provides the framework to stay compliant rather than treating compliance as an obstacle to productivity. However, implementation of controls within DevOps properly is key.
From our experience the success of any DevOps implementation to remain compliant with SOX, PCI and HIPAA is best judged by how the process withstands and external audit. One of the biggest drivers that creates significant challenge is that DevOps would create a “free for all” access to production systems to keep up with the delivery velocity. Besides the access proliferation, there are considerable other factors that need to be considered while implementing DevOps from a compliance perspective.
- Control – How to establish risk management procedures and governance mechanisms without inhibiting the benefits from continuous closed loop improvement processes?
- Speed – How to be agile at the speed business needs?
- Cost – How do I optimize the cost of infrastructure, and identify wasteful spend?
- Automations – How do I automate resource management? How do I manage resource requests and manage demand?
- Budgets and Cost Allocations – how do I reconcile budgets to actual spend?
Learn more about what we do..