Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Find and prevent compliance failures
Continuous Delivery for Puppet Enterprise
Build, test, and deploy infrastructure as code faster and easier
Compliance Enforcement Modules
Remediate to stay in compliance
Content & Modules
Pre-built scripts to automate common tasks
Get Puppet Enterprise
First 10 nodes are free!
Try it now
Request a demo
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Simone Van Cleve
Managing compliance can seem like a Sisyphean task. It seems like you'll never be ahead of the game – like you'll always be reducing drift after it happens.
Compliance as code can help you define your desired state, but for actually maintaining and managing compliance, there's nothing more important than a declarative model for compliance enforcement. In this blog, we'll explain how a model-driven approach allows an organization to manage compliance in their infrastructure, stay compliant with always-updating benchmarks, and control risky drift before it has a chance to happen.
Table of Contents:
Managing compliance in IT means being able to define a desired state in your systems and enforce it. As part of this, you typically then need to find and remediate issues that can jeopardize that desired state, like configuration drift.
Of course, even after you've defined a desired state, managing it is often as susceptible to the same things that lead to drift in other areas of your infrastructure, too. Somehow, the things that you thought were locked down and cast in concrete have a tendency to devolve over time. When it comes to compliance, however, the stakes are too high. We can’t simply accept configuration drift as a fact of life.
While infrastructure is initially deployed in a compliant state, it’s almost inevitable that changes will occur over time when multiple people have access to an environment. Say a sysadmin manually edits a managed registry key or changes the password on a local account. Even a minor update can result in configuration drift that brings a system out of compliance. And a lot of “minor updates” can happen in the window between compliance scans, during which time you may be out of compliance without even knowing it.
Without a way to continuously enforce the configurations you define, every compliance scan will likely turn up numerous violations. You’ll spend time remediating them, drift will occur, and the cycle continues…
Model-driven (or declarative) automation breaks the endless scan-fix-drift cycle. With Puppet’s model-driven approach, you define the desired state of a system in accordance with your compliance policy – the various controls that must be in place on a specific server or operating system – and that end-state is continuously enforced. If a user makes a change that alters a configuration, it will automatically revert to its compliant state on the next Puppet run.
The same configuration can be applied to any system during provisioning, whether it lives on-prem or in the cloud, ensuring that controls are consistently enforced at scale and across environments.
Task-based (or imperative) automation doesn’t provide the same benefits. While this approach works well for orchestrating a sequence of events and automating one-off tasks, it lacks the concept of desired state. The result is that a compliant configuration can easily be overwritten and, unless a user happens to notice the change, it won’t be corrected. There is no source of truth to which to automatically revert.
Our customers tell us that one of the biggest challenges they face in trying to maintain compliance is keeping up with new and changing regulations. If the desired state you’ve defined doesn’t reflect the most up-to-date compliance controls, it doesn’t do you much good. Most compliance scanners can take weeks or even months to incorporate updates, so they won’t immediately detect a violation of an updated rule.
Puppet Comply helps close that gap. It leverages CIS-CAT® Pro to assess your infrastructure for compliance with CIS Benchmarks. The Center for Internet Security® (CIS®) defines the CIS Benchmarks and maintains the CIS-CAT assessment tool, so Puppet Comply scans always reflect the latest benchmark updates.
When you need to update a configuration accordingly, you can modify the desired state in Puppet Enterprise, and the change will be reflected on all systems to which it is applied. This can save a ton of time and mitigates the risk of error that comes with manually making the same change on hundreds or thousands of individual machines.
By this point, it should be evident that automation is integral to a successful compliance program. But automation comes in many forms designed to achieve a variety of outcomes. For compliance, where it is essential to ensure that systems remain in their desired state, model-driven automation is the best approach. Without it, you’re stuck in an endless loop of drift and remediation — constantly working at the same task only to have it reversed, like Sisyphus with his boulder.
TRY PUPPET FREE NOW
Senior Marketing Programs Manager, Puppet by Perforce