Policy as code is becoming increasingly important in the infrastructure management and automation space. Compliance remains a huge concern, yet our industry buildout of distributed systems has gotten ahead of our ability to effectively govern them. There are some opportunities however to take advantage of the strengths of these systems in compliance contexts. Red Hat is attempting to do just that, using GitOps as a foundation for compliance and policy management in its Kubernetes-based OpenShift platform.
I recently spoke to Jaya Ramanathan, Distinguished Engineer and Chief Security and Governance Architect, Red Hat Advanced Cluster Management and her colleague Siamak Sadeghianfar, Senior Manager, Product Management OpenShift about their work and the approach Red Hat is taking, building compliance capabilities into the platform. The conversation is engaging partly its a journey story. Ramanathan has been doing security for more than 20 years, throughout her career at both IBM and Red Hat, since well before before “cloud native” was a thing. But now she sees GitOps as a great way to implement a lot of the things she’s learned along the way. She has a vision that goes well beyond technical policy and directly into regulatory compliance for vertical industries – this isn’t just about technical policy guardrails. Meanwhile Sadeghianfar is focusing on the developer experience part of the story. As I like to say, the ideal approach to making people work in ways you want them to is to make the right thing the easy thing. That’s one of the things the shift left movement is all about. If testing is made easier, developers are only too happy to do it. So can we achieve the same kind of experience with security and compliance?
Find out more in this video.
It’s cool to see these approaches taking off, and Red Hat is a leader here. As I said in November in Notes on GitOps potential role in compliance
The opportunity to use Git-based workflows for compliance purposes is currently underappreciated, but there is a growing understanding in the industry that it’s a significant opportunity. One of the biggest challenges in any compliance project is understanding who did what, and when. With a GitOps-based approach you naturally track system changes, but also know who made them.
A lot of the work in compliance – the job to be done – is being able to track changes to records or infrastructure. If you are providing information to auditors, or just trying to meet internally defined standards, historically you’re often running around after the fact with a spreadsheet trying to build a record or audit trail. Having a system of record in place can alleviate this overhead, and leave you doing productive work. Using GitHub or GitLab means identity and access management are effectively baked into how you work. With pull requests or merge requests, permissions are baked in. Who signed off on a change and when? That’s baked into Git-based workflows.
Red Hat is a client, and sponsored this video.