Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Continuous compliance and risk management can help keep your organization safe as the threat landscape changes and expands each year. IT Ops teams aren’t just working on a single machine, or even a few; they are working across technologies, across teams, at scale and expected to work fast while also considering the requirements of cost and compliance and trying to navigate around skills gaps that continue to appear.
Compliance isn’t optional — but it can become proactive and preventative with continuous compliance. Let’s explore the biggest ways that continuous compliance can reduce IT Ops headaches and help your organization tackle some of its largest security frustrations.
Table of Contents:
Continuous compliance and risk management is the process of automating regulatory and security practices to make sure that your tech is audit-ready and continuously protected from outside threats.
83% of organizations have had more than one data breach, with the global cost of data breaches at 4.35 million USD according to the Cost of a Data Breach Report 2022 from the Ponemon Institute and IBM Security. Staying compliant is critical, but complex.
Two important aspects of compliance that we will explore here include the audit process and the resulting enforcement of policy. While these are only one piece of your overall IT security strategy, they may be taking up a significant amount of your team’s time and effort.
Compliance indicates that all regulatory requirements are satisfied. Risk management is the “big picture” assessment of all risks that threaten an organization, and how a company addresses and prioritizes them.
Compliance is always a part of a larger risk management strategy — following up-to-date requirements means mitigating the risks that have already been identified — but each require their own process.
Audits are tough and security benchmarks change with expanding technologies — not to mention managing an increased number of devices and users as companies grow. Continuous compliance can assist with audit readiness by enabling continuous assessment and reporting how compliant systems are up against secure configuration benchmarks.
The benchmarks created by the Center for Internet Security (CIS) are the industry standard for IT compliance, with guidelines and best practices for secure system configurations. However, there are many kinds of security frameworks; some that are more general like CIS, NIST CSF, ISO 27001 and some that are more specific to the industry vertical or region like HIPAA or GDPR.
Organizations often need to comply with more than one regulation and implement a secure configuration baseline that satisfies each. For that reason, it’s good practice to establish a secure baseline with a common framework. CIS benchmarks, or perhaps DISA STIG if you are federal agency, are great candidates for this. CIS benchmarks are also already referenced as a source of industry-accepted secure configuration standards in the requirements of several common frameworks, including PCI DSS, DISA STIGs, FISMA, and FedRAMP.
You can learn more about why to use CIS benchmarks in our webinar “Puppet + CIS: Develop an Effective Strategy for Simplified Compliance.”
Puppet Comply uses a uniquely licensed scanning technology created by the Center for Internet Security (CIS) to assess adherence to CIS benchmarks. It connects to your Puppet Enterprise instance and allows you to scan your IT infrastructure and assess your compliance status with CIS benchmarks, manage policy exceptions, and report out on your compliance status.
Visibility into your audit readiness, as well as audit-ready code, is just one way that Puppet Enterprise + Puppet Comply can save your team time and effort.
After your audit, you know what configurations need to be changed to stay compliant within your tech environment. But where do you begin? How do you start and continuously address compliance once you’ve understood where those requirements begin?
Developing compliance enforcement modules is time-consuming and complex. Puppet’s Compliance Enforcement Modules (CEM) takes care of all the maintenance and updates to the latest benchmark versions, as well as consistently adding content for new operating systems.
The content in the Compliance Enforcement modules is directly aligned with Center of Internet Security (CIS) benchmarks for both Windows and Linux. And more recently, we've added support for Red Hat DISA STIG.
Continuous compliance enforcement is a turn-key solution to managing secure configurations. Puppet’s CEM offers standardization and conformity at scale, while also being highly customizable to meet the varied needs of your organization.
For a deeper-dive into the specifics of how our Compliance Enforcement Modules work within your current infrastructure, take a look at our blog “How to Enforce Compliance With Compliance Modules.”
Compliance is just one aspect of a larger security approach, but it’s a critical piece of the puzzle. Ask anyone on IT Ops about the time they dedicate to audit readiness and compliance — chances are they are just as frantic as the current security landscape.
You can explore more about Compliance Enforcement Modules (CEM) on the following page.
Ready to take the next step with Puppet Comply? Reach out to our team directly to learn more about both Puppet Comply and CEM.
Try Puppet Enterprise for Free
Product Manager, Puppet by Perforce