BreadcrumbHomeResourcesBlog What Is Compliance As Code? The Best Way To Automate Compliance Testing + Enforcement March 17, 2023 What is Compliance as Code? The Best Way to Automate Compliance Testing + EnforcementSecurity & ComplianceHow to & Use CasesBy Claire McDyreCompliance as code can do powerful things for your org: it can reduce risk, cut back on manual work, and maintain compliance in an ever-changing regulatory world. Let’s take a magnifying glass to the way that compliance as code works, and how it can drive time to value. Table of Contents: What is Compliance as Code?Why Do People Use Compliance as Code?The Benefits of Compliance as CodeCompliance as Code Use CasesUsing Compliance as Code with Different RegulationsHow to Enforce Compliance as CodeWhat is Compliance as Code? Compliance as code means writing IT compliance policies into code that can be repeated and tested automatically. With compliance as code, you can easily test and prove your IT infrastructure's compliance against regulations and standards like CIS Benchmarks, DISA STIG, and more.One survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 people hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity. 🗃Looking for more? Don't miss our comprehensive Compliance Management 101 >>Taking a programmatic approach to regulatory compliance can save you significant time (and grief). Nearly all survey respondents (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities. Expectations included increased accuracy of evidence, reduced time spent being audited, and the ability to respond more quickly to audit evidence requests.Why Do People Use Compliance as Code?Companies use compliance as code because manual compliance can slow down software delivery, compliance audits can be expensive, and misconfigurations can lead to data breaches.There are a number of reasons why companies use compliance as code for their infrastructure and IT compliance.Compliance can slow down the software delivery process. Developers want to make software quickly, and consumers want it now. Manual compliance and security checks can slow that process down. Compliance as code takes the burden of compliance off IT operations teams by turning a lot of that work into repeatable code rather than manual, one-off tasks.Compliance audits can take a ton of time. A compliance audit isn't like checking the engine of your car to make sure it's running right. A lot of compliance audits require a paper trail: That means tracking, measuring, fixing, maintaining, and reporting on your compliance over time and having proof to back it up. If you're doing it manually, the audit process can take a lot of operational time and labor. A 2020 survey found that audit-related activities took hundreds of hours every year.Manual misconfiguration can lead to data breaches. In 2023, one survey found that more than one-third of all-time data breaches could be contributed to some kind of security misconfiguration.The Benefits of Compliance as Code Declaring compliance as code provides three key benefits by: Defining your organization's compliance policy as written code Incorporating compliance checks into every step of the software delivery lifecycle Eliminating configuration drift automatically with model-driven automation Let’s examine each of these further. 1. Defining Your Organization's Compliance Policy as Written CodeWith few exceptions, the infrastructure requirements in your organization’s compliance policy (e.g. minimum password length or firewall configuration) can be declared as code, enabling policy-based management and providing a template for newly provisioned infrastructure. Policy as code is essential to automating and scaling the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to compliance chaos. 2. Integrate Compliance Checks into the Software Delivery Lifecycle IT compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks tend to occur during the final stages of development, and typically involve numerous manual steps. Thus, when a violation is detected, it leads to re-work and delays.According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.” This problem often has more to do with siloed workflows than with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure. Compliance as code addresses the underlying issue by ensuring compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s significantly easier to design around a requirement than it is to re-architect a finished product. Imagine building an entire house before discovering that the foundation doesn’t meet building standards. Running compliance scans in dev and test environments exposes issues before the whole house is built, mitigating the risk of a show-stopping issue that delays deployment. 3. Eliminate Configuration Drift with Model-Driven Automation Defining policy as code has been described as a way of bringing order to the compliance chaos, but it becomes far more effective when combined with technology that can enforce policy. This prevents configuration drift by continually resolving systems against their desired state. Puppet is an example of model-driven automation which makes this achievable at scale. It allows you to define the configuration as code for any system in your infrastructure and enforce that configuration to automatically remediate drift. The Puppet agent automates the verification of configurations against the desired state that you’ve defined, making a corrective change if a discrepancy is detected. Automating compliance using a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure, including Cloud. Let’s say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and even OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage. 📄 Download the White Paper: 5 Questions to Ask to Drive Value by Automating ComplianceWith Puppet, node groups can be created based on the operating system and version, allowing the appropriate set of policy requirements to be applied to all machines in that group. When a regulation is updated, you edit and deploy the revised code, rather than manually making changes to each individual asset. Implementing Puppet Comply in conjunction with Puppet Enterprise empowers IT Operations teams to run their own compliance scans—no more reliance on InfoSec staff. Scan results are mapped to individual nodes accompanied by clear instructions for fixing a violation, enabling more efficient remediation.Compliance as Code Use CasesYou can use compliance as code to make your IT resources compliant with regulations, benchmarks, and frameworks; verify planned changes; and immediately correct non-compliance due to drift or unapproved changes.There are many use cases for compliance as code. Here are a few compliance as code use cases to consider:Regulatory + Industry ComplianceCompliance as code can enforce regulatory standards of compliance like HIPAA and GDPR into infrastructure configurations. Industry frameworks like CIS Benchmarks and DISA STIG can also be continually assessed and enforced using compliance as code.Demo compliance as code products from Puppet >>IT Security AutomationCompliance as code can automate many security configuration checks, like requiring strong passwords, firewalls, encryption, role-based access control (RBAC), and more.Find + compare security automation tools quickly >>Compliance Auditing, Monitoring + ReportingCompliance policies written as code can be easily viewed, tracked, and understood. It also gives auditors a paper trail to follow during audits, showing what changes were made to configurations over time.Compliance ScalingAdding infrastructure and applications can make compliance challenging, especially for enterprise IT. Compliance as code is repeatable, meaning it can be applied across many environments using the same code without losing consistency.Drift Remediation/Drift CorrectionCompliance as code checks the state of infrastructure and app configurations to verify compliance. If a violation is detected (known as “drift”), compliance as code can trigger an automatic remediation to the desired compliance state.Using Compliance as Code with Different Regulations Most regulatory and compliance mandates, including HIPAA, PCI, and the EU’s GDPR, are built upon frameworks that declare the expectations for appropriate practices, along with benchmarks and guides that can provide direction to the reader. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) are two immensely popular examples, in part due to their widely-adopted guidelines and standards. Terms such as ‘compliance’ and ‘regulation’ have become diluted in their meaning, leading to organizations sometimes dismissing them as being not applicable. Even when credit cards are not processed, the company is not publicly traded, nor working under military contracts, consideration should still be given for these established standards. In fact, every business should adhere to desired state baselines (even if just internally) so that technology deployments are measurable and consistent. How to Enforce Compliance as Code Compliance as code streamlines compliance from end to end with the ability to: Build a template for newly provisioned infrastructure with compliance requirements built in. Assess the state of compliance throughout the software delivery lifecycle and easily remediate violations. Manage hundreds of requirements across complex, diverse infrastructure. Eliminate configuration drift and continually enforce compliance policy in an automated, scalable way. For an elevated experience, Puppet’s Compliance Enforcement Modules (CEM) integrate with Puppet Enterprise and are hugely popular as they automatically enforce desired state aligned with industry standards, including CIS and DISA-STIGS. The modules are highly flexible and customizable and are maintained and updated as new recommendations become available. 🔎 Learn more about Compliance Enforcement Modules.When your next audit rolls around, defining compliance as code means you’ll be equipped to demonstrate that you’ve been managing it all along, utilizing a consistent, reliable process for enforcing compliance across your entire estate. That instills far more confidence than an ad hoc, manual approach which is prone to oversights and human error– just think, no more fire drills and unforeseen spikes in mitigation activity.Best of all, the hundreds of hours you once spent on manual, soul-crushing compliance activities can now be redirected towards projects that add business value for your customers and your organization. Demo Puppet Comply TodayLearn MoreLearn about using tools to secure and optimize processes at scale with Perforce's enterprise automation 101This blog was published in 2021 and has since been updated for relevance and accuracy.
