Audits are expensive. Take a HIPAA audit, for example. The cheapest kind of HIPAA audit is a gap assessment, which only is meant to identify ways in which a company might fail to fully meet HIPAA requirements. For this audit, an auditor might not even make an on-site visit to the company. Estimated cost? Up to $30,000—and a full HITRUST assessment might cost up to $120,000.
Similarly, a PCI-DSS audit might cost up to $255,000 a year—and a substantial minority of companies pay over half a million dollars every year. Software licensing audits can cost tens of thousands of dollars. In short, there are many kinds of audits that companies must regularly go through, they are all expensive—and they are all out-of-date as soon as they’re completed.
If you’re a DevOps organization, then you might be deploying software as often as four times a day. If your audit starts with a snapshot of your product that’s taken at nine in the morning, it could be obsolete twice over by lunchtime.
Companies Need New Ways to Handle the Audit Process
To be clear, we’re not discounting the worth of a comprehensive audit process. Your organization has ways to manage and control access to data that exist outside of the development process, and these methods should be scrutinized on a regular basis. While reckless software development definitely has the potential to expose personal data, the most common form of HIPAA breach (for example) occurs when untrained employees snoop on healthcare records.
On the other hand, software development can potentially expose personal data to individuals who aren’t supposed to access it—for example by making large cloud volumes full of PHI available to the public internet without a password. Traditional audits won’t catch this, however, because these compliance failures are ephemeral. Even if potential compliance breaches are here today and gone tomorrow, however, they’re still exploitable while they exist.
Just as DevOps professionals constantly test their code to make sure that bugs don’t make it into production, they should also put safeguards in place to make sure that they don’t ship compliance violations either.
Weaving Continuous Compliance into CI/CD
Continuous Integration/Continuous Delivery (CI/CD) represents one of the best ways for DevOps teams to add compliance to their development practices.
As part of CI/CD, team members strive to increase the frequency of their deployments in order to match a high cadence. In order to do this, they focus heavily on automation—automatically building new releases and testing new deployments to eliminate integration errors. The focus on integration lends itself naturally to continuous deployment, allowing teams to automatically package and deploy their new releases.
CI/CD relies on both software-defined lifecycles and software-defined deployments, promoting high levels of automation at low cost. What if we used software to define compliance as well?
A lot of compliance can be boiled down to binary questions. Is this file password-protected? Yes or no? Can employee X access database Y? Yes or no? Will administrator Z be notified if this file is changed or removed? Yes or no?
By reducing questions of compliance into binaries, they can be tested in a reliable, repeatable, and automated manner. In keeping with CI/CD philosophy, developers can use automation to test compliance at every point in the software development life cycles. That is to say, you may be able to test for compliance every time your developer hits “save” in their text editor, every time your developers submit a pull request, every time your commits are staged for deployment, and even once the software is running in production.
Continuous Integration, Continuous Deployment, Continuous Compliance
In short, by automating continuous compliance, we can expand CI/CD into CI/CD/CC. This can help developers avoid much of the necessity for static, point-in-time audits that become obsolete as soon as they’re started. Instead, they can maintain compliance with major governance regimes, adhere to security best practices, avoid fines due to software licensing irregularities, and more—all without subjecting themselves to the large amounts of time and expense that traditional audit processes entail. Automating compliance won’t just result in software that checks an audit box—it will be safer, more secure, and of higher quality at the end of the day.
For information about how Device42 can help support your continuous compliance efforts, contact us today for a free demo.
