Chef Bulks Up with Compliance and Workflow Tools
Chef is outfitting its popular namesake configuration management software with additional workflow and compliance tools designed to bring both DevOps and stricter controls to enterprise software development and deployment.
Chef announced Tuesday at its European Community Summit the general availability of Chef Delivery, the workflow management service it unveiled as an invitation-only program last April.
In addition, it’s adding to its portfolio Chef Compliance, incorporating technology from its summer acquisition of German security vendor VulcanoSec to bring compliance technology to the Chef platform.
It’s launching an enterprise transformation practice, led by Justin Arbuckle, former GE Capital CTO, to help companies successfully adopt DevOps practices and become “high-velocity software organizations,” according to Jay Wampold, Chef VP of Marketing.
In announcing $40 million in new funding just two months ago, CEO Barry Crist said the new investment would take Chef into the DevOps mainstream. He also pointed to containers and compliance as two areas on which the company would focus.
“What you’re seeing is really an expansion of Chef into workflow automation and change management. It’s taking the principles of infrastructure as code and applying them across the stack to everything as code, then providing that prescriptive workflow” — Jay Wampold, Chef VP of Marketing.
Wampold said growth is only accelerating in Chef’s core automation business, and that enterprises are just waking up to and embracing Chef.
Among the barriers to the adoption of DevOps, he says there are difficulties in stitching together disparate tool chains, thrashing about on workflow, and treating security and compliance as an afterthought.
Chef Delivery automates changes to infrastructure, runtime environments and applications, but also offers a framework for automated testing and continuous integration and delivery. It provides metrics, permissions management and a comprehensive change history for developers’ code.
Each individual change to Chef cookbooks, applications, or infrastructure goes into a shared pipeline space called “Union,” then to the pre-production staging area “Rehearsal” and ultimately to the “Delivered” production environment.
Chef Delivery is about “allowing teams to collaborate across complex pipelines where change may affect multiple teams with multiple dependencies that may have governance around it – who can review the code, who can approve the code,” said Ken Cheney, Chef VP of Business Development. Infrastructure teams, application teams, compliance and security teams might all be involved in this collaboration.
“Also from the testing perspective, it’s making sure the code meets the requirements from a functional perspective, a unit perspective, performance perspective,” Cheney said. “Now we’re adding in a compliance perspective, weaving in the ability to look at in all these different ways and allow teams to collaborate at scale – that’s one of the things we were really going after.”
Since April, Chef has worked with a handful of very large enterprises such as GE on Chef Delivery. From their feedback, Chef has improved visibility for each code change through the pipeline, made UI and performance improvements, and is working on improving dependency management functionality, according to Alex Ethier, Chef vice president of product.
One of customers’ big concerns was integration with various source control and measurement platforms. To this end, Chef has added integrated Chef with GitHub and is working on integrations with Stash and other code repositories. Though it’s most tightly integrated with Chef, the Delivery workflow doesn’t require customers to use Chef, Ethier said. One of Delivery’s users is an Ansible shop, for instance.
Chef Delivery integrates with an extensive array of operating systems, runtime environments such as Docker and cloud platforms including Amazon Web Services and Microsoft Azure.
“It integrates with any kind of API, so you can integrate with ticket systems with Amazon, Google containers, you can reach it from a program inside Delivery. Delivery is the tool that lets you govern or manage the whole flow of changes,” Ethier explained.
“You might need to provision some nodes to Amazon, you might need to configure them using Puppet, Chef or whatever – there are many, many pieces in your pipeline. Delivery sits on top of all of that. I want to change my infrastructure, my containers, my application: all those changes go to Delivery,” Ethier explained. “With Delivery, you have visibility over the state of those changes – Who did what? Did it fail? Did it pass? You can govern who can accept a change to the system and who can deploy a change to the environment.”
One of the big problems in IT is that security and compliance are handled at runtime and are not part of the workflow, according to Wampold.
“IT needs to move risk away from the production runtime and into the build process. IT needs to manage infrastructure, compliance, container runtimes all as code,” he said.
The VulcanoSec technology helps companies automate compliance as part of that build process. As part of Chef Compliance, the company is creating an open source project called InSpec that provides the runtime framework and language to allow developers to write rules to test for compliance and security.
Regulations such as HIPAA or PCI “usually have descriptive as well as prescriptive requirements that a company has to translate into [demonstrating] compliance,” Cheney explained.
Chef has been working with the major German compliance organization TÜVs (Technischer Überwachungsverein or Technical Inspection Association) to apply rules to the TÜVs framework to allow customers to easily assess whether their infrastructure is compliant with the TÜVs policy.
“When you break it down to the components you can actually check physically, those become rules. From a PCI perspective, it becomes a set of rules that a server is actually secure. We provide, out of the box, a huge library of rules that will cover about 90 percent of your compliance requirements on Linux and Windows. Then you have to map those rules to the policy frameworks. The whole point of InSpec is to allow companies to write their own rules,” he said.
Chef Compliance provides the ability to take those rules and map them to policy. It could specify network ports that are open; it could specify compliance frameworks.
“Those PCI rules then are code, there’s version control, they can be tested – managed just like you manage all your other code. Using Chef Delivery, every time a change goes through – and companies like Facebook are submitting hundreds of changes a day – it can be assessed using Chef Compliance. Rather than having compliance being a moment in time or an afterthought, you can make compliance part of how you build and deliver infrastructure applications,” he said.
Andrew Phillips, vice president of DevOps Strategy at XebiaLabs, which offers its own continuous delivery tools, raises some doubts about Chef’s strategy, however.
“With the provisioning business becoming more commoditized and the first-generation vendors under threat from newer entrants like SaltStack or Ansible, it is not surprising to see both Puppet and Chef try to expand their DevOps offerings upwards towards the application layer, because that’s ultimately where the business value is,” he said. “What is surprising is the leap Chef decided to make with Chef Delivery, which looks like it may miss the needs of large companies.
“Having worked with many global enterprises for years, we have learned that improving software delivery in large organizations requires tooling that goes beyond basic process automation, is flexible and provides visibility and control. Chef’s rigid process that assumes full automation is very hard for enterprises to adopt, especially when the goal is to transition existing teams to continuous delivery.”
However, Chef Delivery is a clear signal that tools dedicated to the software-release process are needed on top of the underlying automation provided by tools like the “original” Chef, he said. “This will help eliminate some of the confusion we see in the community today, and highlights the growing market for orchestration tools to support continuous delivery and DevOps in the enterprise.”
Docker is a sponsor of The New Stack.
Feature Image: “Catselfie – Collaboration between id-iom and Sir George Raggett” by id-iom, licensed under CC BY-SA 2.0.