March 17, 2023

What is Compliance as Code? The Best Way to Automate Compliance Testing + Enforcement

Security & Compliance
How to & Use Cases

Compliance as code can do powerful things for your org: it can reduce risk, cut back on manual work, and maintain compliance in an ever-changing regulatory world. Let’s take a magnifying glass to the way that compliance as code works, and how it can drive time to value. 

Back to top

What is Compliance as Code? 

Compliance as code means writing IT compliance policies into code that can be repeated and tested automatically. With compliance as code, you can easily test and prove your IT infrastructure's compliance against regulations and standards like CIS Benchmarks, DISA STIG, and more.

One survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 people hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity. 

Taking a programmatic approach to regulatory compliance can save you significant time (and grief). Nearly all survey respondents (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities. Expectations included increased accuracy of evidence, reduced time spent being audited, and the ability to respond more quickly to audit evidence requests.

Back to top

Compliance as Code Example

In action, compliance as code is a process of defining, scanning, and enforcing compliance. Here's a step-by-step example of compliance as code in action:

  1. Define your compliance policies. These can include policies for password length, multi-factor authentication, role-based access control (RBAC), and other zero-trust security strategies. 
    1. Leveraging relevant, pre-built IT security frameworks like CIS Benchmarks makes step 1 a lot less of a hassle.
  2. Write compliance policies as code. Using your favorite configuration management tool, write code for compliant configurations in relevant resources.
    1. Use pre-built modules in tools like Puppet, Ansible, Chef, or Terraform to get compliance as code with less actual coding.
  3. Scan for compliance automatically. IT automation tools regularly scan your system, compare configurations to the compliance policies you wrote, and flag noncompliant code.
  4. Integrate CI/CD pipeline checks into your automatic compliance scanning. That way, you can know if code is going to affect your compliance before you actually deploy it.
  5. Remediate policy violations. It's easy for unauthorized or improperly tested code to lead to configuration drift, which can throw your systems out of compliance. Your automation and configuration management tools can automatically correct conflicts between your system configurations and desired state.
    1. Compliance automation tools take care of everything from defining compliance policies through drift remediation to keep you in compliance – automatically.
Back to top

Why Do People Use Compliance as Code?

Companies use compliance as code because manual compliance can slow down software delivery, compliance audits can be expensive, and misconfigurations can lead to data breaches.

There are a number of reasons why companies use compliance as code for their infrastructure and IT compliance.

  • Compliance can slow down the software delivery process. Developers want to make software quickly, and consumers want it now. Manual compliance and security checks can slow that process down. Compliance as code takes the burden of compliance off IT operations teams by turning a lot of that work into repeatable code rather than manual, one-off tasks.
  • Compliance audits can take a ton of time. A compliance audit isn't like checking the engine of your car to make sure it's running right. A lot of compliance audits require a paper trail: That means tracking, measuring, fixing, maintaining, and reporting on your compliance over time and having proof to back it up. If you're doing it manually, the audit process can take a lot of operational time and labor. A 2020 survey found that audit-related activities took hundreds of hours every year.
  • Manual misconfiguration can lead to data breaches. In 2023, one survey found that more than one-third of all-time data breaches could be contributed to some kind of security misconfiguration.
Back to top

The Benefits of Compliance as Code 

Declaring compliance as code provides three key benefits by: 

  1. Defining your organization's compliance policy as written code 
  2. Incorporating compliance checks into every step of the software delivery lifecycle 
  3. Eliminating configuration drift automatically with model-driven automation 

Let’s examine each of these further. 

1. Defining Your Organization's Compliance Policy as Written Code

With few exceptions, the infrastructure requirements in your organization’s compliance policy (e.g. minimum password length or firewall configuration) can be declared as code, enabling policy-based management and providing a template for newly provisioned infrastructure. 

compliance as code

Policy as code is essential to automating and scaling the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to compliance chaos. 

2. Integrate Compliance Checks into the Software Delivery Lifecycle 

IT compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks tend to occur during the final stages of development, and typically involve numerous manual steps. Thus, when a violation is detected, it leads to re-work and delays.

According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.” 

This problem often has more to do with siloed workflows than with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure. Compliance as code addresses the underlying issue by ensuring compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s significantly easier to design around a requirement than it is to re-architect a finished product. Imagine building an entire house before discovering that the foundation doesn’t meet building standards. 

Running compliance scans in dev and test environments exposes issues before the whole house is built, mitigating the risk of a show-stopping issue that delays deployment. 

3. Eliminate Configuration Drift with Model-Driven Automation 

Defining policy as code has been described as a way of bringing order to the compliance chaos, but it becomes far more effective when combined with technology that can enforce policy. This prevents configuration drift by continually resolving systems against their desired state. 

Puppet is an example of model-driven automation which makes this achievable at scale. It allows you to define the configuration as code for any system in your infrastructure and enforce that configuration to automatically remediate drift. The Puppet agent automates the verification of configurations against the desired state that you’ve defined, making a corrective change if a discrepancy is detected. 

Automating compliance using a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure, including Cloud. Let’s say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and even OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage. 

📄 Download the White Paper: 5 Questions to Ask to Drive Value by Automating Compliance

With Puppet, node groups can be created based on the operating system and version, allowing the appropriate set of policy requirements to be applied to all machines in that group. When a regulation is updated, you edit and deploy the revised code, rather than manually making changes to each individual asset. 

Puppet Enterprise empowers IT Operations teams to run their own compliance scans—no more reliance on InfoSec staff. Scan results are mapped to individual nodes accompanied by clear instructions for fixing a violation, enabling more efficient remediation.

Back to top

Compliance as Code Use Cases

You can use compliance as code to make your IT resources compliant with regulations, benchmarks, and frameworks; verify planned changes; and immediately correct non-compliance due to drift or unapproved changes.

There are many use cases for compliance as code. Here are a few compliance as code use cases to consider:

Regulatory + Industry Compliance

Compliance as code can enforce regulatory standards of compliance like HIPAA and GDPR into infrastructure configurations. Industry frameworks like CIS Benchmarks and DISA STIG can also be continually assessed and enforced using compliance as code.

IT Security Automation

Compliance as code can automate many security configuration checks, like requiring strong passwords, firewalls, encryption, role-based access control (RBAC), and more.

Compliance Auditing, Monitoring + Reporting

Compliance policies written as code can be easily viewed, tracked, and understood. It also gives auditors a paper trail to follow during audits, showing what changes were made to configurations over time.

Compliance Scaling

Adding infrastructure and applications can make compliance challenging, especially for enterprise IT. Compliance as code is repeatable, meaning it can be applied across many environments using the same code without losing consistency.

Drift Remediation/Drift Correction

Compliance as code checks the state of infrastructure and app configurations to verify compliance. If a violation is detected (known as “drift”), compliance as code can trigger an automatic remediation to the desired compliance state.

Back to top

Using Compliance as Code with Different Regulations 

Most regulatory and compliance mandates, including HIPAA, PCI, and the EU’s GDPR, are built upon frameworks that declare the expectations for appropriate practices, along with benchmarks and guides that can provide direction to the reader. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) are two immensely popular examples, in part due to their widely-adopted guidelines and standards. 

Terms such as ‘compliance’ and ‘regulation’ have become diluted in their meaning, leading to organizations sometimes dismissing them as being not applicable. Even when credit cards are not processed, the company is not publicly traded, nor working under military contracts, consideration should still be given for these established standards. In fact, every business should adhere to desired state baselines (even if just internally) so that technology deployments are measurable and consistent.  

Back to top

How to Enforce Compliance as Code 

Compliance as code streamlines compliance from end to end with the ability to: 

  • Build a template for newly provisioned infrastructure with compliance requirements built in. 
  • Assess the state of compliance throughout the software delivery lifecycle and easily remediate violations. 
  • Manage hundreds of requirements across complex, diverse infrastructure. 
  • Eliminate configuration drift and continually enforce compliance policy in an automated, scalable way. 

When your next audit rolls around, defining compliance as code means you’ll be equipped to demonstrate that you’ve been managing it all along, utilizing a consistent, reliable process for enforcing compliance across your entire estate. That instills far more confidence than an ad hoc, manual approach which is prone to oversights and human error– just think, no more fire drills and unforeseen spikes in mitigation activity.

Best of all, the hundreds of hours you once spent on manual, soul-crushing compliance activities can now be redirected towards projects that add business value for your customers and your organization. 


This blog was published in 2021 and has since been updated for relevance and accuracy. 

Back to top