A Year with Chef and InSpec: A Retrospective with Optum

Video in TIB AV-Portal: A Year with Chef and InSpec: A Retrospective with Optum

Formal Metadata

A Year with Chef and InSpec: A Retrospective with Optum
Title of Series
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
At healthcare-focused companies, compliance is serious business and automating compliance is the only way to stay ahead. The team at Optum are one year into their infrastructure and compliance automation journey. Adam Leff, Technical Community Advocate for InSpec at Chef, talks with Odie Routh (Foundation Engineer) and Tom Rennaker (manager of the Compliance Support Services team) from Optum about where they started, where they are now, how they got here, and where they're headed next.
Game controller Context awareness Server (computing) Group action Service (economics) Code Multiplication sign Virtual machine Metadata Power (physics) Formal language Frequency Mathematics Spreadsheet Goodness of fit Natural number Profil (magazine) Gastropod shell Software testing Office suite Information security Mathematical optimization Physical system Vulnerability (computing) Standard deviation Information GUI widget Benchmark User profile Personal digital assistant Order (biology) Self-organization Software testing Right angle Quicksort
Group action Multiplication sign Set (mathematics) Real-time operating system Client (computing) Mereology Subset Casting (performing arts) Mathematics Software framework Series (mathematics) Information security Physical system Vulnerability (computing) Scripting language Feedback Staff (military) Bit Flow separation User profile Process (computing) Order (biology) Software testing Right angle Cycle (graph theory) Quicksort Automation Point (geometry) Slide rule Server (computing) Game controller Divisor Transformation (genetics) Virtual machine Ultraviolet photoelectron spectroscopy Password Online help Rule of inference Event horizon Product (business) Number Frequency Profil (magazine) Computer hardware Software testing Loop (music) Mathematical optimization Standard deviation Dependent and independent variables Demo (music) Information Server (computing) Weight Graph (mathematics) Code Planning Plastikkarte Client (computing) Line (geometry) Vector potential Kernel (computing) Loop (music) Software Integrated development environment Personal digital assistant Object (grammar) Window
Group action Code State of matter Multiplication sign Direction (geometry) Modal logic System administrator Source code Execution unit 1 (number) Insertion loss Peg solitaire Mereology Food energy Perspective (visual) Formal language Subset Mathematics Bit rate Different (Kate Ryan album) Velocity Ontology Core dump Physical system Scripting language Area Collaborationism Software engineering Software developer Feedback Moment (mathematics) Fitness function Electronic mailing list Shared memory Sound effect Bit Staff (military) Flow separation Demoscene Degree (graph theory) Proof theory Category of being Type theory Data management Message passing Process (computing) Duality (mathematics) Self-organization Right angle Quicksort Figurate number Freeware Arithmetic progression Row (database) Spacetime Laptop Point (geometry) Server (computing) Game controller Service (economics) Divisor Open source Transformation (genetics) Connectivity (graph theory) Firewall (computing) Real number Virtual machine Control flow Online help Event horizon Field (computer science) Power (physics) Permanent Natural number Touch typing Energy level Software testing Scaling (geometry) Information Key (cryptography) Mathematical analysis Loop (music) Kernel (computing) Integrated development environment Software Personal digital assistant Thermal radiation Object (grammar) Window
Ocean current Complex (psychology) Group action Greatest element Server (computing) Service (economics) State of matter Variety (linguistics) Code Multiplication sign Patch (Unix) Mass Mereology Test-driven development Food energy Rule of inference Metadata Subset Number Element (mathematics) Revision control Different (Kate Ryan album) ARPANET Energy level Data conversion Information security Mathematical optimization Task (computing) Shift operator Dependent and independent variables Information Feedback Shared memory Staff (military) Type theory Message passing Arithmetic mean Process (computing) Order (biology) Self-organization Whiteboard Quicksort Family Arithmetic progression
Area Proof theory Group action Multiplication sign
Point (geometry) Building Group action Game controller Service (economics) Key (cryptography) Multiplication sign Decision theory Connected space Revision control Degree (graph theory) Data management Personal digital assistant Operator (mathematics) Self-organization Data conversion Musical ensemble Asynchronous Transfer Mode
Point (geometry) Group action Momentum Overhead (computing) Mapping Code Multiplication sign Source code Projective plane Revision control Spreadsheet Roundness (object) Textsystem Uniformer Raum Daylight saving time Self-organization Cuboid Endliche Modelltheorie Data structure Information security Instanton Probability density function
a everyone's good afternoon who so that was lame good afternoon so hey that that is so much better than not at all prompted so thank you for that of my name is Adam left I the technical community advocate for action that's my privilege and pleasure to have with me to find gentleman from optimum Tomika in Ruth Tom will I am time period I manage the compliance Support Services team I normally responsible for making sure that all servers that we supported our compliance not only with the standard of corpora basins but also in certain cases a lot regulatory controls the that the nature of place so and so it is great OK so I am a foundation engineer and in often they really can't plays out that I play the role of demobs advocated in the infrastructure services outside of our organization so will think of the definite cool thanks so much before we get started hearing about these fine guys experience with compliance talk to you a little bit about inspect 1st so historically with Mike wickerwork there we go with compliance insecurity usually there's 3 primary groups responsible or find themselves responsible for compliance insecurity in each of them have their own tools with which they feel most comfortable your compliance officers find comfort in their Excel spreadsheets and PDFs because that is the way of compliance information is usually disseminated security engineers if you're lucky enough to have great security engineers usually have penetration testing tools other advance shell techniques that they would use in order to test systems for vulnerabilities and DevOps engineers nobody and harness the power of infrastructure automation in order to be able to make changes across many many systems are to bring them up to snuff offer some sort of compliance a security need inspect provides a single language that allows these 3 groups communicate with 1 another by being able to write your compliance requirements but in any human readable language but also in an executable language to light automate those compliance needs on left-hand side is an example of what a CIS benchmark might look like those of you that are required to follow CIS benchmarks might be having twitches right now because this PDFs all look the same as in just the sight of it is making you nervous but the nice thing is they do have code snippets that you can usually use to test whether a machine is up to snuff or not but a security officer might not understand that technology he's also you can toss a PDF file server and how tell you it's compliant with the 1 on the right hand side is what inspect control looks like we can take that metadata from that control in that it within our actual tests in still have that be executables so when you get a report from inspect you have all the context you need in order to determine what this control what this test is about but it's also executable I can automate this in scan across my diskin with inspect the we provide inspects the Alliance you just like inspect exact in the path to a profile in that would execute locally on a machine but instead can also run remotely as long as we can log into
machine we can scan so we can scan via SSH and we can scan via when r and in both cases we do not install any software on the target machine in order to scan so as long as we can log and we can scan for compliance also on my favorite features being able scanner running containers so we can reach and via the Dockery EPI and run the same exact inspect checks against a running container even if we didn't create that contain which I find to be pretty cool in the ultimate way of doing this is with continuous compliance which we heard during a keynote today 1 of the ways we can achieve that is by using the audit cookbook in the order cookbook runs as part of your normal chef-client runs in during a chef-client run will run whatever inspect profiles you tell it to and feed that information back to shove automate really really neat way of seeing compliance across your fleet in real time rather than the once-a-year the order what's the door if you'd like to learn more about inspect you could inspect IO there's a whole bunch of tutorials and documentation and I even an in-browser demo if you want to get your hands on so whatever
tackling a new challenges such as how do we handle compliance events it's great to have a framework in order to evaluate the situation make a plan and then executed and I like to use the if you've never heard of it the you dilute sometimes called the weight cycle after the kernel from the US Marine Corps John Boyd that created it but the loop has 4 steps observe orient decide and act the observes that is about understanding situation for compliance this might be what's the new requirement is their vulnerability that's been announced and I know that because the was announcing released or maybe there's a product change so your product team was society you're not taking credit cards and now PCI is a world of hurt for you that you just inherited so observing is about collecting information knowing about the situation so you can decide how best to while the orient stuff is about gathering the data you need in order to assess impact in severity so what part of my fleet does this new compliance requirement now apply is at all likely or a subset so those sorts of information we can collect it it's a vulnerability what parts of my fleet are already currently vulnerable in need action we need to mitigate the vulnerability today inspect fits into the orient step out and excellently we can use inspect right control order profile execute a process we can collect that data once we have that data we can decide how best to proceed is this a vulnerability that requires us to drop everything and fix it now or sister product change that needs to get put into my product teams backlog and prioritized accordingly and obviously once we've got that green line to act agree like that we can proceed and the planned actions these 2 fine gentleman here been going through some pretty impressive transformation tackling some challenges which is also considering the size of optimal optimization huge huge company so over the past year these 2 have been part of a team that's been working to transform the way that the way they handle compliance and compliance automation so thank you for being here and being willing to discuss discusses with us to think you so our 1st off as I'm sure many people this audience can really at I understand that getting a new host online and provisions and ready to go was could be somewhat painful for you at time when she'd come walk us through the processes like yeah I like them said we're a pretty big company and In I'm getting getting stuff out from conception new productions of pretty well process Bob alot of people I and typically our are environment is pre siloed so you'd have a you'd have a team that would that would speckled the serving team would order the series of some other team to a similar hardware and another team to insist on fear the O. melody to apply the compliance standards the melody and a check on the work the a QA and then another team to support it when it's and production and sold many hand ups and downs with we've taken that the picture where where was and we really tried the in a lot of those steps in the process from the time you push a button the technological and would you come a long way in the process and to get rid of some of those handouts um they would cast cuz Lovell's delays on but 1st don't know optimism is a health care focused company so compliance having the servers be compliant and remain compliant is is absolutely critical of what will processes before you embark on this journey were the processes that you in your teen use in order to ensure operating system compliance yes so we'll come you know we we always get the job done and the servers are always compliant but that the process was very many intensive and took it took a long time and so they servers were built during the process are ascribed and and they had that all have a set of standard that controls and baselines applied to them and then in Windows case help Haldeman place with GPO those and in other cases we wind up and periodically scanner In on using scripts another other automation tools and remediate anything undirected and so it and then if server needed some stricter controls on and you know like you mentioned PCA and some of the other controls we more staff often we we wouldn't know that until server was already in the customer's hands and we would have to ask the customer taken outage to say OK we got to apply these rules these controls now on so that has a lot of but pain points there to get to get the server of up to the compliance standards as we would that look like from outside you not in time steam directly so that has a total customer of this pipeline of servers getting created what that what that process look like a like 2 years so it was it was a bit of a tense process there is given at hand often being a you know something they tax on very late in the whole process is it was Tennessee was always pushing up against deadlines and like you miss having to take out isn't there were periods of time where the you know being a team that that has a server that would bring a production you have to be hands off so the compliance thing can come in and do what they need to do and go through that that outage piece so it's yeah it's it's intense relationship was never good news to do talking to the client the and usually numbers if we like so as bad as that I have here is like an room like how many people are in a compliance team or or are responsible for enforcement of compliance so took that every Person seemed to be operating at that so that I had my 1st slide a account a lot about this right that there are 3 groups like a it's everyone's compliance is everyone's responsibility right so if you're if you don't have a way to automate and this is a manual process everyone feels pain whether you're on the receiving end of the delivery and it's very critical England the so I've I've heard challenges I'm sure there's more of but as you as reflect back on what it was like to 1st create a host what were the were the 1st objectives you want to tackle this year in the world of compliance automation of body warm start the OK yes starting out as a big 1 for us was the notion of shifting left how we've been talking a lot about the notion of of treating security and compliance is factors of quality in an hour teams were really working toward continuous integration and and doing a lot of quality testing and we wanted to figure out how to be getting that that piece earlier in the process and start having a relationship with compliance being a feedback relationships rather than a handoff relationship and the bad news relationships so there is a real desire to to make that's a part of everyone's every day's work on uh another factor to good for me a goal and talking this through is trying solve this potential for us to be talking about compliance is a continuously
improving journey and so that we could get Tom's team to be putting more energy in moving compliance movere baselines forward rather than spending all their energy doing this the repetitive work of enforcement so I thought they could scale much better and more interesting thing a budget of obviously being part of a team that liberties machines or the objectives you want the solve 1st year I guess I guess for us the the biggest thing was having that visibility into this the compliance state of our servers mean we had to do our manual stuff to just get that data in on and we built some animation around it but you know there was a lot I work that 1 and 2 actually knowing In on in being confident in their their servers were compliant and that that was the biggest 1st step for us was just seemed so insight visibility both free delivery and post-delivery were critical things 3 times and got you know I didn't mention but I also think another piece was to to try and make that visibility more self-service for teams as well so a lot of cases are bar baselines our information isn't necessarily in everyone's hands not everyone looks at those PDFs another 1 is is necessary in touch with it but it really seen that they're getting that feedback from compliance while people were trying to deliver hosts gave them a better chance to be engaged with understanding what it was to be compliant what they needed to do and and to be more informed as well right and also in we need an easier way to bring our servers and compliance the ones that that drifted or or non compliant from meaning made easier way to do that and and because it it took a long time that process took a long time to get the service compliance and you don't servers were in our environment and the the amount servers was growing exponentially and our staff wasn't so we we definitely needed away any 0 it had to do who can relate to that and yet again everyone center property for that but it's OK to shut but I know the real I know the truth so chapter great tool to help do the infrastructure piece obviously we're talking about inspecting are a critical component to doing finds automation part of its power have these 2 tools help to you to bridge the gap with other teams and convince your even your team's alone as well as other teams to work with that using Shaphan inspect are the right thing to do here time which is but I think the 1st OK yes I am an ad for me it was really about flexibility I think being able to use Inspec in so many ways much like which you just talked about at the beginning of being able to run it remotely without an agent on some being able to to put it in with an article cookbook in running on running servers being able to use it on someone's desk top while they're doing development to to check and where they are there to so many opportunities to use it over and over again and so that flexibility was it was a real strong point another key factor was it being open source it was really easy for us to do this proof of concept and to do some show me and to go take part of our baseline layout and show other teams how easy it was to get that feedback on you know what was wrong with system or how they're trained from that you can also known we had multiple tools that we used tools for Windows servers tools for Linux servers and moderate we really like about inspecting chapters reporting tools that and hence it's 1 language that reaches across all those losses and it's the power of power that is just Duncan pre components for the record as the community care for Inspec I did not pay him to just say that no I think it objects in the millions no endorsement no it's great absolutely not and not knowing so what what the rollout of like how did you get started i mean such a huge company analysis paralysis is really a thing of and time added you start rolling this out I had to convince people the following around yeah so the 1st thing we really saw that the benefits and then the you know like I said we're looking for an easier way to do we do and we really just we dug into and started looking at inspect and and just learned a little bit of it about it and little better Ruby and units it's pretty easy to learn and so we started with that and they really help that there's a lot of tons of examples I have the documentation is is awesome and I on and and the chef community is a is a great source of of help to you not to begin and people or really more than willing to help all and post a question you answer in a way that suggests it's awesome 3 but in we really just cannot took that and just wrote a couple test ran at start thought and action and from there we we then we wrote wrote a chef recipe effects that so result in we saw failure wrote raspy fix it and we randomly inspect test again and we saw passes and now we can just scale scale it up from there and started spin of the EMS our laptops it can run we brought in on certeza test kitchen worry where can run on stuff on via eminent laptop and and prove that it's that it can really affect the of the on know and skip scale from there we kept showing management that look we can in the easy this is a go fast we can do this our so manner just this kind of mind in dual proof a concepts here and and here I often I think the key thing that that happened in the early stages to to even before rolling it out was around collaboration and we started having some sessions we meet every week and start doing pairing and we we you know look together and use some code review can work in the practices and and start kind of looking at how this happens in a pipeline and and and trying to use it in a pipeline and and yet just incrementally with there but but it was collaboration like a organization is not used to that we had people from several different groups of coming together and working through those that and that's a key part of DevOps transformation something that we achieve the event was much as possible right the journal develops tools you just justify this is this is a transformation exercise to get teams working together in ways that that weren't possible to hear that compliance emissions allowing you to do that is very exciting creating this really great it's yet so that might when my favorite things about the little loop is is that it's a loop you should be continuing to do this over and over and over again and I kind of like when I drew the loop because they're they're more to it but I don't want
the sides to be busy at 1 of the key fundamental parts of the loop is that you collect feedback at every step and you know your reader if you well how can we make this the better each time so as we sit here reflect over the past year about free gentlemen what you've been working on what have had the year go like out it had this past 12 months this journey that work for you don't go on well traditionally in in all our team is more was more but operating system support admin type all you know we within we are developers right so we we automated things out of necessity just because of our group growth and in the minuses weird with support and on the back excuse me my my team really took on that transform it was a really amazing transformation to see that that people are always looking for for new new isn't enough to automate what we're doing so and they just they just go and in picking up inspect and and to see how close fit a mineral is called it the a this figure of the surrounding that and this is just to see them turned from somebody that logs into a server to make a change to somebody that thinks about writing code to do the same thing so it it was cool the way people manager I have to mention that scene senior team have bold moments of this this is a tool that can solve our problem is is a pretty energizing thing to experience and only have about what you has your go for you I was so act participating in the transformation your team was absolutely also having was 1 and definitely the highlights of my job for the the last year and it was it was amazing to experience that I also feel a lot of satisfaction in seeing where we've come in this last year too can improving a key point so it we put a lot of energy especially in the health care field into safety and and you know having a lot of controls in place on and there is 0 tolerance are our our level of of acceptance for risk is is very very low in pH i is 1 of those we we're the good radiation this morning and pH i pushes up their you know 5 and so it's it's important and so looking at back at this last year it's been a proof that we really could use these practices to make a safe system of work so that we could increase our velocity and we could a drive in that direction so actually gave a talk a year ago in this room kind of talking about the idea of how this is going to be a great opportunity for health care to really jump forward and a lot because we start bringing in that those degrees of controls and that need for for safe systems and into this process and really dive for and I think this year has his really been a major step in permanent but I can't get the feeling that you might not be alone given the amount of people that are in this room 1 hear story also rank as held here is not the only sector that that could use this transformation so this is this is wonderful I'm I'm sure this process did not happen without some bumps in the road so what wanna hear 1st about technical challenges what what sort of technical issues did you run into some or and other technical hurdles that you experience as you were starting on this compliance automation journey time will start with you have a you and your team I had just the nature of our environment and the way that we we have been share the isolation of data and you know certain certain things have to be isolated and you can reach in the campaign the common core network that the big challenge for that is we upon the firewalls and place and neon you have that you have to build a reach into those environments and and and collect the data and India will affect the change in I think some of that stuff I mean worse we're still fighting and figuring out stuff all but I think what we have will come along later all that how to how to do it and the right the right way to do it and really been able to to make some progress there and mn by for us writing ratings on inspect tests to in on you can it's it's fairly easy right inspect test that you can gather information from a server that but what we've really started doing now is reaching out into other systems another from other areas where we have to collect that data from other systems and you know reaching out using API is now on and not just what's going on to a server to gather information so some of those some of those things a challenging as well because it's like a said we're we're not developers by nature and learning how to do some of that stuff is has been will challenge to this feels like and when we talked last week and that even though you don't need to know Ruby to use inspect it certainly helps but of course that is a that is a challenge as well so hearing that you're you're starting to expand the use of inspecting sort of push the borders of what it can do it's nice to know that the Ruby language is there for you but obviously if you have a team of people that would not normally call themselves software engineers that feels like a hurdle it's it's a hurdle that's deals with kernel possibly worth fertile right it and and the great thing about the great thing about inspectors is you don't you don't have to write you don't have to start with pure inspected purely you can you can take a partial script that you've been using for years and plug it in to an inspector Austin and and work and you can better go back and re factor that and make it pretty now but but you can take take what you're comfortable with and start there which is great and there is a a great way to make that transition body from your perspective any technical challenges you wanna speak to united I could go pretty long on that list so I thought he has no I think in the maybe with a dead people are interested in some of those afterward you could certainly talk about those break work or something so far behind on technical challenges ontologies year let's go that direction so I you know 1 of the biggies for us and and I imagine it's true for a lot of people ate there's there's we're talking about a transformation around workflow and culture but there's a real skills transformation involved when we're talking about teams working in this space and trying to quit as code into something that's that's been done and PDFs for so long so you know
having a discussion around being test-driven and how to do test-driven development and having high blinds and having all these pieces that that will version control I I'll actually say that I do more time teaching get than I do teaching in any other because it's just getting these teams used to have to version control as part of the workflow is is just such a shift so that transition takes a lot of time and and that's been a challenge for us to feel like were were going as far as we want to you because there's just so much retooling her for staff I think you know for me we have the compliance team and now is being that that friendly facing on a year from now and I think breaking down silos that that we've historically had the and just just reaching out to another team and just starting an open discussion so they can can be challenging because people are naturally resistant to change the late you know that's always the way we've done and that it works now in know why she why we need to do do this new thing and so then we have fond I think that just starting that conversation to start talking about it it is really the 1st Arpanet it and makes a huge difference in state has has for us so far yeah and you know we we're you mentioned large company in and with a large company comes a lot complexity and so you end up with lots of different teams that that have ownership a responsibility for lots of different things and trying to get a sort of unified notion of of how to tackle the pieces in and which team should really be responsible for which piece of code is has been an interesting technical and so also all also that China relay a message that compliance is not just my team's job they were not the only ones responsible for it should be everybody it it should be in off from the beginning the beginning to the end you know not we're moving moving compliance a left but that everybody needs to be concerned about it in the we we keep saying your your company is large how large is large he tell us how many people work at optimal I I you know I doubt that could give you back your value and so so optimism is a member of a family of companies that together make up United Health Group so we're providing technology for a for a variety of other sister companies guess will call them and together we're we're talking hundreds of thousands of ridiculous people is to bring to bring even a subset of that along with you on a journey is is a task I mean things that work that hard work you have to do so as as we as we reflect on how that you're went and the challenges that you both overcame and still need to overcome what are what are some of the where the next steps for your team what's the next big thing that that you wanna do this year of the 1st for us in an already is that of almost 2 and we were also responsible for the not only the security reassignments up like that but response for making sure that all the servers are up to the current patch level and that's the next camera next big thing this year aren't really tackle is how how we bring in that process that that we had there we go through how do we know Archimedes inspect coming in shafted to to really drive that on the whole the whole pageant process and I would be doing a few little PO seasoned making some progress and pretty promises of the continued dominance that road and the and then and then really we wanna share success with the rest of the bottom and really and just say look look 0 we've done you know with with this little ragtag group of the group of people in on and that just really really message out across the across the company and and it's just keep those discussions on and yeah encouraging other teams to to use what's been built out of find is going there's there's a lot of internal marketing the meaning have to do to to really get to be reusable way we can use so I you know also and I'm I'm really interested in the coming year be thinking about how we start bridging into the the documentation and the ordered side of things so you know now we've got this great feedback you were taught how to give their feedback to teams they're getting work in the pipelines but we've also talked about how having the always on it and having all that ability being able to bring that together and start iterating on our on our baselines that we have to really started getting all the metadata caught up in all the controlled reference to the where they map to in different regulations and and being able to really tie that into our documentation is evidence and have it accepted by auditors and as evidence is I think an interesting journey for us and there's just so that you go know that's wonderful is there are there any major hurdles as you decide how next best proceed you mentioned a couple already is are there any other glaring things you feel like you need to tackle the before you're properly empowered have what you need in order to to go down that path and start start on the next step journey so if the answer is no real elements it would too I think for me at finding more champions and and building mass within our organization of partners who were also of moving the effort forward but it takes a lot of energy to take keep you know doing demos and keep doing Piercy's over and over again the people and trying to convince every group that you you reach and and having that number of Champions grow in organization to just see them keep taking that next step is going to be something of a feeling we're going to need to really go all the way yeah I would I would agree and I wiII over this past year I think we we form that can form a team that so and the show the shuffles a service type team where they're they're really true driving that I trying to draw the visibility of of shelf and inspect throughout throughout a company and really try on board people into using In on and the running community means and stuff like that and I really I really have a vision that that we build our own little shove community with an optimum and at that thing that can happen think were well on the way further along the way yeah that's great so it's
pass along something I got a kick out of this clip I at at but that are usually that's how we receive compliance rules but I'm asking you to pass on the additional information what
what took over those that are here with us what what is the 1 take it 1 that they'd like to pass on the encouragement and guidance Tom let's let's start with you
years for me I would just say you know the stuff of what my team didn't I just said just try just do it in on just get something started start small in on and just proved do little proof of concepts and starts mon spread and the like for us it it just spreads and other areas and other groups can look look to you and say while they they did it we can do unlike other go back to probably the same now get the prior everyone has heard from Nathan Harvey and from every single demobs talk you've ever heard and I guess and discover pounded in 1 more time it's it's people 1st it's a reach out and talk to someone and find out a year so for those people there have to work with a compliance group were not in the compliance group can act of 1 of them start talking about what they do how they do it you know
what it's like and and what they what they struggle with and and vice versa if you've year somebody in compliance group you know be reaching out to a dev Grouper be reaching out to operations group in and start hearing about what the problems are like and start talking about when you're you're paying points are because had chances are between you you're suddenly start to have ideas about this pain points and and for us that's really where the last year started was just people not in the same team talking to each other figuring out what it's like on the other side of the fence a another silo and working from there and I think you can do it without that initial connection of building that relationship that we really had no idea who each other will wear and this also and had this conversation and just look from and just start packing and it takes a tremendous amount of courage to to come up here on stage and talk to a room full of people and let us be behind the current so please join me in thanking automata few few with that we have some time for questions I will be the audience run around person persons so if anyone has questions just raise your hand stand up and confined you anything at all yet think you up question whether you choose chaff in this case the Inspector instead of another conflict management tool like I don't ballplayer whatever what was the key to use each have in this case Inspector that's the idea that's a really complicated question partly because it's a large organization and to some degree that the shaft decision was already made independent of the compliance group so the
chef piece was pretty well already there and for us to have a discussion know about inspecting diving and we were already looking at how to work around shelf with by mode and using service back out of band to to check things and try to figure out what we could do before inspect really came before I spoke once Inspec appeared in and it was very clear that you the the control
structure just made a great deal of sense and it was very applicable and it was a lot less overhead than trying to figure out how to do the the other options so that you know the ship piece came 1st and inspect was was just and just on a place the Soon was here compliance to user years still writing defining all the requirements still on the Excel spreadsheets are you're getting all your teams compliance and security to all start with everything from instanton and and then using a writing your solutions have chef forehead you still use OK on excel spreadsheet without when you want to do with this and then translate their requirements against the and 1 of the ah yes so following the model as everyone's confined to just uniformity have yeah I think we're still at the point where we do have that published PDF for it and and that gets approved in reviewed all the time right now I and my team has to turn on and in the code so we're still at the point where the star that source of of the of the published pdf and map here I'll I'll add in that weird we're organization it's in that transition box so here and and it's a large organization as we said so it's a large battleship deterred it and so we work a lot and babysit steps we're time change so having this there gives us that the momentum and its we're working toward being able to prove that you know what having version control as source is it is a great way to go and all that extra added is maybe not necessary and I am interested those because there's always going to be a need for the the document to the artifacts that is read by the business a read by orders and and in a lotta respects that so there's some projects out there around you know would be compiling and documentation and I'm interested in ways that we may think about that inspector getting the artifacts that they that produces from the code that's really in that that document format for the for people to review and so but but hopefully that no authoritative source will be version control yeah with that thank you again another big round cost for time and so on and so I want to thank Adam friends like taking this ball up and doing this with us is that span Austin by thank you thank you might just be a holiday thank you hear guys thanks everyone enjoyed conference