January 21, 2021

The Benefits and Use Cases of Compliance as Code

Security & Compliance
How to & Use Cases

Regulatory compliance is time-consuming and expensive. Compliance as code is a better way to achieve and maintain regulatory compliance, reduce risk, and spend that time on initiatives that drive customer value. In this blog, we'll cover what compliance as code is and how it drives value by saving time and freeing up your most valuable resources.

Table of Contents

What is Compliance as Code?

Compliance as code is the process of defining your organization's compliance policies through written code. Once they're written as code, they can be automatically tested against major regulatory benchmarks to measure compliance across your infrastructure and IT.

Compliance as Code Benefits and How To Use Compliance as Code

One survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 person hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity.

Taking a programmatic approach to regulatory compliance as code can save you a lot of time (and grief). Nearly all survey respondents to the survey (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence, reduced time spent being audited, and the ability to respond to audit evidence requests more quickly.

Using compliance as code can be broken down into three key steps:

  • Defining your organization's compliance policy as written code
  • Incorporating compliance checks into every step of the software delivery lifecycle
  • Eliminating configuration drift automatically with model-driven automation

Define Compliance Policy as Code

With few exceptions, the infrastructure requirements in your organization’s compliance policy — say, minimum password length or firewall configuration — can be defined as code, enabling policy-based management and providing a template for newly provisioned infrastructure.

Policy as code is essential to automating and scaling many of the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to the compliance chaos, and enables the following stages.

Integrate Compliance Checks into the Software Delivery Lifecycle

IT compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks are typically manual and don’t occur until the final stages of development. Thus, when a violation is detected, it leads to re-work and delays.

According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.”

In reality, this problem has more to do with siloed workflows than it does with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure.

Compliance as code helps address the underlying issue by ensuring compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s a lot easier to design around a requirement than it is to re-architect a finished product. Imagine building an entire house and then finding out that the foundation doesn’t meet building standards.

Running compliance scans in dev and test environments will turn up issues before the whole house is built and mitigate the risk of a show-stopping issue that delays deployment. With Puppet Comply, IT Operations teams can run their own scans instead of needing to rely on InfoSec. Plus, scan results are mapped to individual nodes along with clear instructions for fixing a violation, making remediation more efficient.

Eliminate Configuration Drift with Model-Driven Automation

Defining policy as code goes a long way toward bringing order to the compliance chaos, but it doesn’t do much good unless you have a way to enforce policy – that is, to prevent configuration drift and keep systems in their compliant state.

A model-driven automation tool like Puppet makes this achievable at scale, allowing you to define the compliance as code configuration for any system in your infrastructure, enforce that configuration, and automatically remediate drift. The Puppet agent continuously checks configurations against the desired state that you’ve defined, and makes a corrective change if a discrepancy is detected.

Automating compliance with a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure. Say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage.

With Puppet, you can create node groups based on the operating system and then apply the appropriate set of policy requirements to all machines in a group. When a regulation is updated, you edit only the underlying code, rather than making manual changes to each individual system.

Enforcing Compliance as Code Automatically

Compliance as code streamlines compliance from end to end. It gives you the ability to:

  • Build a template for newly provisioned infrastructure with compliance requirements built in.
  • Assess compliance status throughout the software delivery lifecycle and easily remediate violations.
  • Manage hundreds of requirements across complex, diverse infrastructure.
  • Eliminate configuration drift and enforce compliance policy in an automated, scalable way.

When your next audit rolls around, defining your compliance as code means you’ll be well equipped to demonstrate a consistent, reliable process for ensuring compliance across your estate. That instills a lot more confidence than an ad hoc, manual approach – no more fire drills and unforeseen spikes in activity.

And best of all, the hundreds of hours you once spent on manual, soul-crushing compliance activities can now be spent on things that actually add value for your customers and your business.


Learn more