Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source Puppet
Perfect for individuals and small infrastructure
Automate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Simone Van Cleve
Regulatory compliance is time-consuming and expensive. Compliance as code is a better way to achieve and maintain regulatory compliance, reduce risk, and spend that time on initiatives that drive customer value. In this blog, we'll cover what compliance as code is and how it drives value by saving time and freeing up your most valuable resources.
Table of Contents
Compliance as code is the process of defining your organization's compliance policies through written code. Once they're written as code, they can be automatically tested against major regulatory benchmarks to measure compliance across your infrastructure and IT.
One survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 person hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity.
Taking a programmatic approach to regulatory compliance as code can save you a lot of time (and grief). Nearly all survey respondents to the survey (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence, reduced time spent being audited, and the ability to respond to audit evidence requests more quickly.
Using compliance as code can be broken down into three key steps:
With few exceptions, the infrastructure requirements in your organization’s compliance policy — say, minimum password length or firewall configuration — can be defined as code, enabling policy-based management and providing a template for newly provisioned infrastructure.
Policy as code is essential to automating and scaling many of the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to the compliance chaos, and enables the following stages.
IT compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks are typically manual and don’t occur until the final stages of development. Thus, when a violation is detected, it leads to re-work and delays.
According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.”
In reality, this problem has more to do with siloed workflows than it does with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure.
Compliance as code helps address the underlying issue by ensuring compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s a lot easier to design around a requirement than it is to re-architect a finished product. Imagine building an entire house and then finding out that the foundation doesn’t meet building standards.
Running compliance scans in dev and test environments will turn up issues before the whole house is built and mitigate the risk of a show-stopping issue that delays deployment. With Puppet Comply, IT Operations teams can run their own scans instead of needing to rely on InfoSec. Plus, scan results are mapped to individual nodes along with clear instructions for fixing a violation, making remediation more efficient.
Defining policy as code goes a long way toward bringing order to the compliance chaos, but it doesn’t do much good unless you have a way to enforce policy – that is, to prevent configuration drift and keep systems in their compliant state.
A model-driven automation tool like Puppet makes this achievable at scale, allowing you to define the compliance as code configuration for any system in your infrastructure, enforce that configuration, and automatically remediate drift. The Puppet agent continuously checks configurations against the desired state that you’ve defined, and makes a corrective change if a discrepancy is detected.
Automating compliance with a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure. Say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage.
With Puppet, you can create node groups based on the operating system and then apply the appropriate set of policy requirements to all machines in a group. When a regulation is updated, you edit only the underlying code, rather than making manual changes to each individual system.
Compliance as code streamlines compliance from end to end. It gives you the ability to:
When your next audit rolls around, defining your compliance as code means you’ll be well equipped to demonstrate a consistent, reliable process for ensuring compliance across your estate. That instills a lot more confidence than an ad hoc, manual approach – no more fire drills and unforeseen spikes in activity.
And best of all, the hundreds of hours you once spent on manual, soul-crushing compliance activities can now be spent on things that actually add value for your customers and your business.
TRY PUPPET ENTERPRISE FREE
Senior Marketing Programs Manager, Puppet by Perforce