Review: How InSpec 2.0 delivers comprehensive compliance

The InSpec 2.0 platform from Chef tackles compliance head-on, tailored to the specific rules and guidelines that a company wants or needs. It is designed to both make sense of regulatory and technical guidelines and ensure that a network is protected according to those rules.

security audit word cloud

Over the years, many government agencies, regulatory groups and even industry organizations have created compliance rules that govern how technology should be configured for a certain task or network. For example, any merchant that uses credit cards must become compliant with the Payment Card Industry Data Security Standard (PCI DSS). Healthcare providers must submit to Health Insurance Portability and Accountability Act (HIPAA) rules. And anyone who does any business within Europe now needs to comply with the General Data Protection Regulation (GDPR) or risk major fines. Even if there are no specific regulations imposed within a sector or on a business, there are quite a few well-written best practices like the NIST Cybersecurity Framework that can benefit any organization.

The problem with most of these regulations and guidelines is that they can be difficult to interpret, much less successfully implement. Some of the statutes are comprised of iron-clad rules that almost seem designed to make technology implementation more difficult. Others are fuzzy, commonsense sets of advice with little real-world guidance on how to achieve them.

The InSpec 2.0 platform from Chef is designed to both make sense of regulatory and technical guidelines and ensure that a network is protected according to those rules. Almost every other program that CSO has reviewed that included compliance had it as an extra, almost a bolted-on addition behind security. InSpec 2.0 instead looks at compliance as its primary mission, tailored to the specific rules and guidelines that a company wants or needs. And while compliance does not always equal security, most guidelines exist for a reason, so getting every server, endpoint and app into compliance with relevant regulations is, if nothing else, a great starting point in achieving robust cybersecurity.

InSpec 2.0 can be installed in several different ways. If an organization is using the Chef Automate program to configure its nodes, InSpec can work with those installations that essentially become agents for the program. But agents aren’t required. We tested InSpec using a single installation of the program running on a workstation, and used it to scan a large test network. All we needed was the credentials for the machines being scanned. And InSpec was quick too, returning queries about 300 compliance issues across dozens of clients in just a few seconds.

Pricing for InSpec 2.0 is currently based on the number of nodes being protected and scanned for compliance issues. However, now that InSpec supports cloud deployments and virtualization environments where new nodes can be spun up and dropped from the network continuously, which was one of the new features added in the 2.0 product, the company admits that its pricing model needs to be updated and something new will be coming, but was not quite ready at the time of this review.

InSpec Ask Questions John Breeden II / IDG

InSpec 2.0 uses a very simple form of code that can ask questions about a node’s compliance with relevant regulations and guidelines, and then reports back about any issues. Users get access to many queries and compliance profiles right out of the box.

Getting started with InSpec 2.0 was not difficult, though it did require a baseline understanding of coding, or at least the general principles of programming. Out of the box, there were 98 various compliance profiles in the online repository that customers could apply to their InSpec consoles. These compliance profiles are sets of queries designed to help achieve parity with all of the major certifications, regulations and best practices currently in use today. The program does a very good job of explaining what guideline is being tested against, and sometimes more importantly, why specific tests are recommended.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)