Chef Compliance
Compliance Management Automation Software with Speed and Efficiency
Maintain compliance and prevent security incidents across heterogeneous estates.
Automate and Enforce Compliance Across the Enterprise
Chef® Compliance™ makes it easier than ever to maintain and enforce compliance across the enterprise, with standards-based audit and remediation content, easily tuned baselines to adapt to the organization’s needs, and visibility and control across hybrid and multi-cloud environments.
Chef Compliance Key Benefits
Streamline Audits
Gain full visibility and easily manage waivers to eliminate 90% of the time spent on audits.
Maintain Continuous Compliance
Close the loop between audit and remediation to ensure assets are always in compliance with CIS benchmarks and DISA STIGs.
Easily Meet Enterprise Needs
Leverage certified, Chef-curated audit and remediation content that is easily tuned to organizational needs.
Jump Start Compliance Automation Efforts with Chef Premium Content
Customers access Chef curated trusted content for audit that is directly aligned to CIS (Center for Internet Security) benchmarks or DISA Security Technical Implementation Guides. Also now with newly available Chef automated remediation content, organizations can ensure remediation actions align directly to audit results.
Chef Compliance: Automate Compliance and Prevent Security Incidents
Chef Compliance helps organizations streamline their ability to stand up and maintain compliant IT infrastructure, whether on premises or in the cloud. Built on technology proven at extreme scale, including Chef InSpec, Chef Compliance leverages certified, curated audit and remediation content to help organizations quickly meet industry standards such as CIS benchmarks and DISA-STIGs. The product offers flexibility to easily apply and track waivers and tune controls to enterprise-specific needs.
Chef Compliance helps across all stages of the compliance workflow:
Acquire: Customers access trusted content aligned to industry benchmarks for audit and remediation. With extensively tested, Chef curated, and CIS-certified content, organizations can get started quickly and ensure remediation actions align directly to audit results.
Define: Chef makes it easy to define compliance baselines and tune them to the organization’s unique needs. Flexible compliance waiver capabilities allow teams to turn on or off individual controls in order to avoid false positives and misconfigurations.
Detect: Continuously monitor and evaluate compliance posture by detecting deviations from intended state at any point in the software delivery lifecycle.
Remediate: remediate non-compliance with policy-driven remediation capabilities that efficiently address individual controls in alignment with audit tests, encoding those fixes to enable continuous compliance. Remediation can be applied easily, without requiring coding skills.
Report: Maintain comprehensive and up-to-date visibility across heterogeneous estates, easily view differences between baseline and remediated states, and track waiver status to enable fast and accurate audits any time.
Chef Compliance Audit
Chef Compliance Audit helps security and operations teams maintain complete visibility over the compliance status of their estate. It comes with extensive audit content based on CIS and STIG benchmarks out of the box that can be easily tuned to meet specific needs of every organization. Chef Compliance Audit provides up-to-date visibility across any on prem or cloud environment.
Automated Remediation
Automated remediation helps close the loop between audit and remediation to enable continuous compliance in the enterprise. New remediation functionality and trusted, standards-based content makes it easy to remediate issues uncovered during audits without writing any code.
Chef Compliance also has the extensibility and flexibility to allow for customization of pre-packaged remediation content that can be modified to accommodate for corporate specific needs through code.
Chef Compliance Use Cases
Audit for Security
Continuously assess security and easily customize and update testing when new vulnerabilities are published.
Audit for Compliance
Report on compliance checks against CIS benchmarks or DISA sandards in order to maintain continuous compliance.
Continuous Compliance
Monitor and remediate any deviations to compliance posture across environments continuously.
Regulatory Compliance
Leverage predefined benchmarks or fine-tune compliance profiles to address organizational specific requirements.
Government Compliance
Predefined DISA STIG and CIS benchmark profiles help accelerate the Authority-To-Operate (ATO) in highly regulated federal organizations.
Accelerate Delivery
Deliver faster business value as infrastructure and application compliance is built into the SDLC.
Consolidated Fleet Visibility Dashboard
A specially tailored compliance centric dashboard allows organizations to gain deep insights into the state of their fleets. The Chef Compliance dashboard enables IT infrastructure and Information Security teams to maintain continuous visibility into the compliance status of the entire fleet.
Track, Audit and Apply Waivers to Changes
Through Chef Compliance teams can audit various endpoints for compliance against CIS benchmarks or DISA standards, while viewing the aggregated compliance state of the entire fleet. Chef Compliance allows organizations to flexibly apply waivers and provide a business justification for skipped controls, with the ability to apply end dates to determine when a waiver or control should be remediated, or allow for the waiver to be permanent.
Continuous Compliance Monitoring
With Chef Compliance, organizations can consistently enforce security based on industry standards, such as Center for Internet Security (CIS) benchmarks and DISA-STIGs. Users can also create custom profiles to meet any enterprise role-specific infrastructure or compliance policies so they are able to detect security or compliance issues and automatically correct them to maintain continuous compliance.
Rapid Remediation at Scale
Chef Compliance allows for correction or remediation of configuration drifts from desired state for a single device or up to the entire fleet, from a single pane of glass. Organizations can monitor device compliance state and either automatically or as needed reconfigure the IT resource back into compliance.
We use compliance as code as a vehicle to unite all of our stakeholders. With it, you can articulate your security posture and, more importantly, produce a versionable artifact that represents that posture… Scaling beyond humans with compliance-as-code saves you and your system owners time, but auditors should also understand the time savings they are going to gain.
Recommended Content
On-Demand
Frequently Asked Questions
What is compliance management?
Compliance management involves processes and technology. On the organizational side, it is a continual process where internal experts monitor and assess enterprise systems and procedures to maintain compliance with industry regulations, corporate policies and security standards.
Compliance management demands best practices and appropriate policies and procedures for compliance. This entails a rigorous approach to identifying and tracking relevant regulations, applying best security practices, using tools to help meet compliance requirements and auditing and reporting on the status of this work.
Policies should govern how data is handled across the enterprise and shared outside of the network.
Why is compliance management important?
Compliance itself is important. Failure to comply can result in steep fines and penalties and potentially damaging bad publicity. Because most compliance rules relate to security, failing compliance means failing security.
Compliance management not only reduces regulatory risks but informs the entire enterprise as to the importance of compliance and how it can help to achieve it.
Compliance management also involves technology to support the company’s policies, procedures and drive a compliance culture.
What are the key elements of compliance management?
A compliance management program should include:
- Understand the regulatory landscape
- Document IT policies and procedures
- Monitor and audit compliance efforts
- A response system for when problems are found, with corrective actions specified and taken
What are the challenges for compliance management?
Compliance management is made essential and difficult by an array of challenges, including:
Increasing regulatory complexity: Today’s enterprises face numerous compliance rules, but each compliance regulation is itself complex. While that is difficult, these complex rules regularly change, which requires internal experts to keep up and take steps to abide by new rule changes.
New regulations: While organizations struggle to keep up with changes to existing rules, brand new regulations also regularly appear.
New cyberthreats: Defending against cyberthreats is crucial to most compliance regulations. These threats are far from static, but constantly proliferate and increase in intensity.
Dealing with distributed environments and multiple platforms: Attack vectors grow as IT becomes more distributed and new platforms are added. Protecting these and addressing compliance requires visibility into new systems and vigilance in defending them.
What are the best practices for compliance management?
The way IT addresses compliance is just as important as the technologies they apply to these efforts. Here are four compliance management best practices:
Monitoring and scanning: You only find compliance issues if you look for them. The regular monitoring of systems, configuration states, abnormal changes and vulnerabilities occurs here.
Auditing: Regular audits not only show where your compliance efforts stand, but they are an essential part of a compliance investigation.
Apply automation: Handling all compliance tasks manually is not only cost-prohibitive but also, in many cases, impossible. The smart move is to automate where you can. Take configuration. Automation can spot configuration errors and then update the configuration without human intervention.
Patch and update: Unpatched and non-updated systems are an attack waiting to happen. Automate the scanning of systems for patches and updates and make sure they are updated as soon as possible.
What is the compliance management process?
Identify and document compliance requirements: Your compliance team should identify all compliance-related regulated rules, whether legislative, contractual or legal, so you know exactly what you need to comply with.
Define current compliance state: Once you know what you need to comply with, define and document your position regarding compliance and security requirements.
Build out policies and processes: It is critical how your IT team, managers and employees work to meet compliance requirements. These formal policies and processes are the basis of training programs.
Adopt compliance technologies and apply controls: Security and compliance-specific technologies should be adopted, properly applied, used with precision. Controls such as popular security benchmarks should also be applied.
What are some examples of compliance management solutions?
There are countless compliance tools. In fact, most security solutions can be considered part of a compliance portfolio. There are, however, compliance-specific products, including:
- Progress Chef Compliance: Compliance management automation
- Hyperproof: Security and compliance automation
- Rivial Data Security: Compliance automation
- StandardFusion: Governance, risk and compliance software