HPE Datacenter Care—Infrastructure Automation (DC-IA) provides advice, support, and tools to help customers create a fast, agile, and reliable IT environment. For several years, HPE has been using Chef to turn infrastructure into code. Recently, they've expanded their offerings with InSpec, which turns compliance into code. InSpec is a human-readable language for automating the continuous testing and compliance auditing of your entire infrastructure.
In this article we learn how Vivek Bhatia, DevOps Consultant at HPE, introduced InSpec to one of the largest banks in India. In particular, Vivek worked with the infrastructure team that manages the company's Banking Services division, which is responsible for most of the bank's transactions. Compliance is particularly critical for them. The division has approximately 500 HP-UX servers that make up their development, test, and production environments. They also have some servers for disaster recovery (DR).
Compliance without automation
Of course, there are many regulatory and security guidelines the bank must follow and each month the team checks to make sure their servers are compliant. There are around 100 checks and, before InSpec, they were performed manually. The process was very difficult. The team had to log in to each machine, check the configuration settings, provide the results on paper, and then log them. Completing a single check took about 5 minutes, so vetting just one server took about 8 hours.
Introducing automation with InSpec
Vivek knew that automation was the answer and he was familiar with InSpec. He worked with Chef to develop and add a profile for HP-UX that was based on the Center for Internet Security (CIS) benchmarks. Vivek then tested and customized them to fit the bank's particular requirements. Next he did a proof of concept for the bank, showing them the results for a couple machines.
In terms of the bank's reaction, Vivek says, "When they saw the tool they were very excited. They were able to see the entire scan result in minutes. They could see how many were compliant, how many were not compliant and based on that they could make a quick decision. What they took 500 minutes to perform on one server, they could now perform in 2 minutes, which was exceptional for them.
Plus, they could also use the tool to ensure that their DR configuration and their primary data center configuration were the same. They could just run a test across both sides and track disparities in their configurations and go ahead, make a decision and make relevant changes to remediate them."
InSpec also made it much easier to satisfy the bank's auditors. IT auditors sometimes asked to see the status of a particular machine and retrieving the information was slow. Team members had to run scripts manually, get the output and make it suitable for a report. Now, with a single click, the team can instantly show the auditor what checks have been performed.
Vivek found another advantage: InSpec is human readable and easy to learn. He described the differences between InSpec and other industry tools. "Most vendors for security and auditing use a binary format. If you want to customize anything you have to contact the vendor, the vendor will make the changes, they ship it back, and before that they'll charge for different professional services and fees. Most of the time, it becomes very difficult to work with those tools. InSpec is easy to customize and you don't have to learn a programming language like C or C++ or Java.
"When I showed the profiles to the infrastructure team they felt confident. They thought that they could also easily pick InSpec up within 1 or 2 days and start using it themselves. The learning curve was very small."
The advantages of automation
The Banking Services team has rolled out InSpec in their development and test environments. As they gain experience, they will roll it out to production.
Dominik Richter, Chef's Product Manager for InSpec, says, "We often get positive comments from our users about how easy InSpec is to deploy in their environments. Human-readable rules are a big part of this, as well as InSpec's lightweight requirements for execution."
Vivek says, "When I talk to the financial customers, I know that there are two key things they are really worried about. One is the security of their systems and second is auditing. For security, most of the time they have checklists and they want to ensure they are compliant with those checklists but unfortunately they are not. I try to tell them that if you want to get this done quickly, if you want a better way to understand how your infrastructure looks, use InSpec, which can be agentless. Just go ahead and start deploying and start seeing the benefits.
"I was a system administrator for 10 years so I know what it's like to do all the fixes and run all the reports. It's very, very painful, especially when you have 3,000 or 4,000 servers. Without automation, managing compliance is very challenging."