Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Bad news: Configuration drift is going to happen no matter what you do. It’s very easy to miss, caused by some innocuous mistake or patch and buried in paper trails that don’t exist. By the time you’ve found which configurations have drifted, it usually means something’s already going wrong. But here’s the good news: You and your precious configurations don’t have to take it lying down.
In fact, there are a lot of ways to find and manage config drift, no matter where you’re deployed – but not all drift remediation tools and strategies are created equal. Take a few minutes to read this blog and review where configuration drift might be coming from in your IT, what it can do to your system reliability, and what you should be doing about it right now.
Configuration drift, also called config drift, is when configurations in an IT system gradually change, until they’re no longer consistent with the needs of the organization. Configuration drift is often unintentional and caused by undocumented or unapproved changes to software, hardware, and operating systems.
The risk of configuration drift is that it causes inconsistencies in system configurations. Operating system configs that differ between development, testing, and production environments, for example, can create performance issues, security gaps, and compliance errors.
Those problems are especially risky in large IT environments, multi-cloud deployments, or IT hosted between the data center and the cloud.
Specific side effects of configuration drift include app failure, downtime, prolonged development lifecycles, increased IT tickets, security vulnerabilities, compliance failures, audit fines, and more.
The side effects of config drift range from ‘mildly inconvenient’ to ‘five-alarm fire’. All of them impact your organization in some way or another, and the only difference between levels of severity is how proactive you are about finding and managing drift.
What’s more, configuration drift is one of those problems that gets worse fast when you don’t treat it. Each misconfigured resource can be a liability – for example, a single instance of configuration drift can lead to sensitive data being exposed, security breaches, and compliance fines.
Imagine a lot of those individual misconfigurations piling up over time, without you noticing. All those misconfigured resources add up quickly, meaning config drift quickly goes from ‘easy fix’ to a major problem if you don’t address it swiftly.
The top causes of configuration drift are:
There are a lot of reasons why configuration drift happens, but all config drift happens when code changes get through without being monitored or approved (even ransomware). Sometimes, it’s individual engineers making changes to their environment without telling production. Sometimes, it’s the code that slides in with a vital patch, or in the latest version of a software update.
The worst part is that when configuration drift causes a problem, developers are sometimes encouraged to drop everything to go find and fix it. And guess what happens while they’re trying to fix a problem. That’s right: More code changes get pushed without proper review, monitoring, tracking or reporting, leading to more inconsistency between the desired configurations and actual state. The vicious config drift cycle continues, with drift adding to drift adding to drift.
If you’re thinking this drift recursion cycle makes it tough to stay ready for audits, you’d be right. Read our blog to find out how to you can ahead of drift by automatically managing compliance >>
Configuration drift management automatically compares system configurations against baselines to identify configuration drift that can lead to inefficiency, performance issues, and compliance errors.
There are two basic ways to fix configuration drift:
Obviously, manual remediation is a big, time-consuming, laborious task. It also doesn’t work that well, especially at scale (remember the “drift adding to drift” problem we mentioned above?). Most DevOps teams just don’t have the time or headcount to fix configuration drift as it pops up. Bottom line: If you’re managing more than a few configurations, the hands-on method is only going to lead to wasted time and more problems.
That’s why the best way to manage configuration drift is to use a configuration management tool like Puppet, Ansible, or Chef, along with tools for version control, continuous integration/continuous delivery (CI/CD), and documentation.
Puppet's agent-based automation and continuous compliance make Puppet Enterprise the configuration management tool of choice. Compare Puppet vs. Ansible here >>
Config drift management tools do what it sounds like: They periodically scan your systems to identify configurations that have drifted from their defined, hardened state. Some tools also automatically remediate drifted configurations.
Different configuration management tools feature different capabilities and strengths. Some are designed for deep monitoring and reporting, while others can do all that and then remediate configurations automatically. Examples of configuration drift management tools include:
The CIS-CAT Pro Assessor
Created by the Center for Internet Security (CIS), this tool scans systems to track system hardening efforts aligned with the widely used CIS Benchmarks framework.
Configuration monitoring and alerting across hybrid infrastructure, aligned to customizable CIS Benchmarks.
One of the most popular configuration drift monitoring tools out there, known for its easy onboarding and observability – and, depending on your usage, its hefty price tag.
Observability to enhance configuration drift detection, troubleshooting, and change validation.
A security and compliance tool for protecting critical systems and sensitive data.
Monitoring file changes, notifying sysadmins, and automating enforcement of configurations.
AWS Config comes built into the platform to enable change tracking, drift detection, and remediation of AWS cloud configurations.
Configuration management for infrastructure hosted on AWS.
An automation and configuration management platform.
Configuration management to maintain desired state and prevent drift – but it’s known to struggle at scale.
Configuration management, the easy way: A configuration management system includes tools for monitoring, testing, reporting, logging, and fixing configuration drift >>
As long as you have people using the resources you’ve configured, configuration drift is going to happen one way or another. What matters is monitoring for drift continuously, catching it early, remediating it quickly, and documenting it properly.
Catching up to configuration drift is a great way to make sure you’re never out of desired state for long. But like with any healthy system or process, prevention is the best medicine. Creating and enforcing rules for configurations as code enables more proactive configuration drift management:
Puppet Enterprise is an automation and configuration management solution that helps reduce drift, especially across large and complex infrastructure. Write your policies as code using Puppet’s simple configuration syntax (or leverage CIS-compliant modules), and Puppet Enterprise’s robust agent-based automation and configuration management capabilities will enforce them across your whole infrastructure. Automated runs detect drift from the configurations you wrote as part of your PaC, and Puppet Enterprise can provide recommendations and even automatically repair drifted configurations.
Agent-based automation means that Puppet enforces your written policies even if there’s a network disruption to your server. It doesn’t matter if the server is located in the data center or in the cloud – the Puppet agent will run every 30 minutes by default, enforcing your coded policies and maintaining system state. No agentless technology can match that capability at scale.
Compare agent-based vs. agentless automation for security >>
Read a configuration drift case study showing how Finastra used Puppet Enterprise to audit and correct drift, applying their policy as code to maintain compliance and optimize resources. Then request a demo of Puppet Enterprise or try it in some of your own infrastructure today.
DEMO PUPPET TRY PUPPET