March 17, 2023

What is Compliance as Code?

Security & Compliance
How to & Use Cases

Compliance as code can do powerful things for your org: it can reduce risk, cut back on manual work, and maintain compliance in an ever-changing regulatory world. Let’s take a magnifying glass to the way that compliance as code works, and how it can drive time to value. 

Table of Contents: 

What is Compliance as Code? 

Compliance as code is the process of defining your organization's compliance policies through written code. Once written as code, IT infrastructure can be automatically evaluated for compliance against major regulatory benchmarks. 

One survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 people hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity. 

Taking a programmatic approach to regulatory compliance can save you significant time (and grief). Nearly all survey respondents (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities. Expectations included increased accuracy of evidence, reduced time spent being audited, and the ability to respond more quickly to audit evidence requests.

The Benefits of Compliance as Code 

Declaring compliance as code provides three key benefits by: 

  1. Defining your organization's compliance policy as written code 
  2. Incorporating compliance checks into every step of the software delivery lifecycle 
  3. Eliminating configuration drift automatically with model-driven automation 

Let’s examine each of these further. 

1. Defining Your Organization's Compliance Policy as Written Code

With few exceptions, the infrastructure requirements in your organization’s compliance policy (e.g. minimum password length or firewall configuration) can be declared as code, enabling policy-based management and providing a template for newly provisioned infrastructure. 

Policy as code is essential to automating and scaling the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to compliance chaos. 

2. Integrate Compliance Checks into the Software Delivery Lifecycle 

IT compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks tend to occur during the final stages of development, and typically involve numerous manual steps. Thus, when a violation is detected, it leads to re-work and delays.

According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.” 

This problem often has more to do with siloed workflows than with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure. Compliance as code addresses the underlying issue by ensuring compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s significantly easier to design around a requirement than it is to re-architect a finished product. Imagine building an entire house before discovering that the foundation doesn’t meet building standards. 

Running compliance scans in dev and test environments exposes issues before the whole house is built, mitigating the risk of a show-stopping issue that delays deployment. 

3. Eliminate Configuration Drift with Model-Driven Automation 

Defining policy as code has been described as a way of bringing order to the compliance chaos, but it becomes far more effective when combined with technology that can enforce policy. This prevents configuration drift by continually resolving systems against their desired state. 

Puppet is an example of model-driven automation which makes this achievable at scale. It allows you to define the configuration as code for any system in your infrastructure and enforce that configuration to automatically remediate drift. The Puppet agent automates the verification of configurations against the desired state that you’ve defined, making a corrective change if a discrepancy is detected. 

Automating compliance using a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure, including Cloud. Let’s say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and even OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage. 

📄 Download the White Paper: 5 Questions to Ask to Drive Value by Automating Compliance

With Puppet, node groups can be created based on the operating system and version, allowing the appropriate set of policy requirements to be applied to all machines in that group. When a regulation is updated, you edit and deploy the revised code, rather than manually making changes to each individual asset. 

Implementing Puppet Comply in conjunction with Puppet Enterprise empowers IT Operations teams to run their own compliance scans—no more reliance on InfoSec staff. Scan results are mapped to individual nodes accompanied by clear instructions for fixing a violation, enabling more efficient remediation. 

Using Compliance as Code with Different Regulations 

Most regulatory and compliance mandates, including HIPAA, PCI, and the EU’s GDPR, are built upon frameworks that declare the expectations for appropriate practices, along with benchmarks and guides that can provide direction to the reader. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) are two immensely popular examples, in part due to their widely-adopted guidelines and standards. 

Terms such as ‘compliance’ and ‘regulation’ have become diluted in their meaning, leading to organizations sometimes dismissing them as being not applicable. Even when credit cards are not processed, the company is not publicly traded, nor working under military contracts, consideration should still be given for these established standards. In fact, every business should adhere to desired state baselines (even if just internally) so that technology deployments are measurable and consistent.  

How to Enforce Compliance as Code 

Compliance as code streamlines compliance from end to end with the ability to: 

  • Build a template for newly provisioned infrastructure with compliance requirements built in. 
  • Assess the state of compliance throughout the software delivery lifecycle and easily remediate violations. 
  • Manage hundreds of requirements across complex, diverse infrastructure. 
  • Eliminate configuration drift and continually enforce compliance policy in an automated, scalable way. 

For an elevated experience, Puppet’s Compliance Enforcement Modules (CEM) integrate with Puppet Enterprise and are hugely popular as they automatically enforce desired state aligned with industry standards, including CIS and DISA-STIGS. The modules are highly flexible and customizable and are maintained and updated as new recommendations become available. 

🔎 Learn more about Compliance Enforcement Modules.

When your next audit rolls around, defining compliance as code means you’ll be equipped to demonstrate that you’ve been managing it all along, utilizing a consistent, reliable process for enforcing compliance across your entire estate. That instills far more confidence than an ad hoc, manual approach which is prone to oversights and human error– just think, no more fire drills and unforeseen spikes in mitigation activity.

Best of all, the hundreds of hours you once spent on manual, soul-crushing compliance activities can now be redirected towards projects that add business value for your customers and your organization. 

Demo Puppet Comply Today


This blog was published in 2021 and has since been updated for relevance and accuracy.