HashiCorp Sentinel Delivering Compliance To Infrastructure as Code

Methodologies & practices such as DevOps have contributed to radically transform the way application development and deployment are performed. The transformation can also affect organizational culture, and a successful adoption by all stakeholders can have a durable and positive impact. While DevOps has a comprehensive set of steps covering development & delivery, compliance may not always make its way into these steps. HashiCorp Sentinel tries to solve this problem.

The Need for Compliance

Compliance determines the need for an organization, its business divisions and its processes to abide by (be compliant with) a variety of external constraints. These constraints are dictated by legislation (international / national / local laws), regulatory or accrediting organizations, or even internal policies. In Europe, the GDPR is a major compliance regulation to take into account. In the US, Sarbanes–Oxley, HIPAA and SOX are relevant examples.

"Image

While compliance has nothing to do with the technical implementation of software or hardware, or even a methodology such as DevOps (or even old-fashioned waterfall development & release management processes), the requirements imposed by law, regulatory bodies or internal policies impact the way systems are implemented, software is developed and processes executed.

Challenges & Risks of Compliance

Compliance is mostly mandatory by law; avoiding compliance or improperly adhering to compliance bears a risk to the business. This risk can be primarily financial or reputational.

Organizations found to operate outside of regulations can face a variety of retorsion measures from regulatory bodies. These can be usually hefty fines, increased scrutiny, and can even lead in the most extreme cases to a license revocation, leading effectively to a termination of an organization’s operations in one or more countries.

In other cases, a loss of trust from the public and the organization’s customers can also have a long-lasting negative impact, with damage potentially increased by media exposure (press, blogs, social media, etc.).

Without making this article one purely focused on compliance, organizations need to take in consideration not only adherence to industry regulations, but also compliance with local laws. When it comes to data storage and handling, the laws vary from country to country, and some states have also implemented data sovereignty rules that require data of their citizens to be stored on datacenters located in their national territory.

With compliance, the burden of proof resides on the organizations. It is therefore necessary not only to implement controls and policies, but to be able to report on them, and provide an audit trail. Some regulators may require regular reporting, while others will instead perform audits on a periodic basis.

Why Compliance for DevOps

DevOps transforms the application development and release cycle but does not fundamentally change the way the organizations are held accountable by compliance and law. Even if the DevOps model speeds up releases, adherence to compliance isn’t going away and needs to be integrated into releases.

The use of microservices and portability to clouds makes compliance adherence more difficult. Furthermore, compliance has mostly been an out-of-band activity which imposed external architectural constraints to applications & infrastructures.

Is there any asset in the DevOps toolchain that can tackle the issue? Code repositories are a good example of an audit trail source (tracking who did what, and who approved), but even a perfectly followed release process could be used to publish code or applications that are not in compliance, so this isn’t enough.

Introducing HashiCorp Sentinel

The only way to properly implement compliance at the source in DevOps is to have compliance follow the DevOps model. HashiCorp have created a framework called Sentinel, which allows to implement “Compliance-as-Code”. This approach is a natural extension of the Infrastructure-as-Code concept.

The goal of Compliance-as-Code is to ensure business & regulatory policies are enforced regardless of the platform used (public / private cloud), while also handling policies just like any other piece of code.

Sentinel is an embeddable policy as code framework to enable fine-grained, logic-based policy decisions that can be extended to source external information to make decisions.

Compliance-as-Code allows developers to natively implement compliance controls into their code, making their software agile to adapt to changing conditions, while avoiding the burden of out-of-band compliance constraints.

Embedding Sentinel into code makes policy checks available directly in the data path. Instead of having an out-of-band tool passively checking if policies have been violated or not, Sentinel actively checks if a policy is about to be violated and rejects the behavior, thus proactively avoiding compliance breaches.

Sentinel uses several mechanisms to implement compliance:

  • Policies are treated as code. The same principles of version control, pull reviews, and testing apply. Policy decisions can be handled just like any other piece of business logic code.
  • Various enforcement levels allow conditions being evaluated to be allowed, warned or rejected based on the enforcement level chosen by policy writers
  • Fine-grained, condition-based policies allow policy decisions based on the condition of other values
  • Integration with external information sources allows policy decisions to be taken at the entire infrastructure level. HashiCorp states for example that if Consul health checks are failing, then Terraform cannot execute

The scope of application of Sentinel is very broad. It could be used to detect and avoid commonplace mistakes such as default/unrestricted network traffic rules, unsecured storage buckets, following existing policies (naming conventions, tagging of objects), implement tighter access control rules and enforce which workloads are allowed.

HashiCorp Sentinel Code Sample – How to use Sentinel to not allow the use of AWS Groups with egress set to 0.0.0.0 – Source: HashiCorp Sentinel website

Currently, Sentinel integrates with Terraform, Vault, Nomad and Consul. Interestingly, HashiCorp have also released a Sentinel Simulator to develop & test policies.

Conclusion

Compliance is often seen as a thorn on the side for IT practitioners. It needs however to be considered not as a burden, but as a benefit to the organization, its customers, and to the industry & society.

Infrastructure-as-Code disrupts the way infrastructures are configured, deployed, and kept in a consistent state, making it one of the essential changes organizations need to adopt to operate their infrastructure estate.

Continuous configuration automation (CCA) tools such as HashiCorp Terraform shift infrastructure management from the old cycle of “deploy, manually configure, verify, create records, assess compliance” to “create baseline, automatically configure (via applied baseline), continuously verify for deviations & enforce baselines”. The benefits are a speed increase, a reduction of manual errors and configuration consistency across the board.

Implementing Compliance-as-Code alongside with Infrastructure-as-Code completely changes the practice of the compliance discipline. The passive “monitor & remediate” approach of compliance becomes an active paradigm. Policy violations are preemptively detected during code execution, triggering the subsequent course of action based on policy settings (allow behavior, allow but warn, or reject behavior).

HashiCorp Sentinel directly embeds compliance imperatives directly into CCA tools such as Terraform and guarantee not only that configuration baselines will be applied each time a new infrastructure component is provisioned (this could even be at each restart for stateless servers), but that policies & regulatory requirements are taken in consideration directly at the source and never violated.

This is a fundamental change, for HashiCorp Sentinel enables compliance to be implemented in-band, at the source code level; compliance can now be used to orchestrate application behavior and data flows without the need to apply out-of-band solutions and complex / bureaucratic compliance review mechanisms.