January 27, 2021

Managing Compliance: How to Break the Scan-Fix-Drift Cycle

Security & Compliance
Infrastructure Automation

Managing compliance can seem like a Sisyphean task. It seems like you'll never be ahead of the game – like you'll always be reducing drift after it happens.

Compliance as code can help you define your desired state, but for actually maintaining and managing compliance, there's nothing more important than a declarative model for compliance enforcement. In this blog, we'll explain how a model-driven approach allows an organization to manage compliance in their infrastructure, stay compliant with always-updating benchmarks, and control risky drift before it has a chance to happen.

Table of Contents:

What Is Managing Compliance Like in IT?

Managing compliance in IT means being able to define a desired state in your systems and enforce it. As part of this, you typically then need to find and remediate issues that can jeopardize that desired state, like configuration drift.

Of course, even after you've defined a desired state, managing it is often as susceptible to the same things that lead to drift in other areas of your infrastructure, too. Somehow, the things that you thought were locked down and cast in concrete have a tendency to devolve over time. When it comes to compliance, however, the stakes are too high. We can’t simply accept configuration drift as a fact of life.

When Managing Compliance, Change is the Only Constant

While infrastructure is initially deployed in a compliant state, it’s almost inevitable that changes will occur over time when multiple people have access to an environment. Say a sysadmin manually edits a managed registry key or changes the password on a local account. Even a minor update can result in configuration drift that brings a system out of compliance. And a lot of “minor updates” can happen in the window between compliance scans, during which time you may be out of compliance without even knowing it.

Without a way to continuously enforce the configurations you define, every compliance scan will likely turn up numerous violations. You’ll spend time remediating them, drift will occur, and the cycle continues…

Breaking the Drift Cycle

Model-driven (or declarative) automation breaks the endless scan-fix-drift cycle. With Puppet’s model-driven approach, you define the desired state of a system in accordance with your compliance policy – the various controls that must be in place on a specific server or operating system – and that end-state is continuously enforced. If a user makes a change that alters a configuration, it will automatically revert to its compliant state on the next Puppet run.

The same configuration can be applied to any system during provisioning, whether it lives on-prem or in the cloud, ensuring that controls are consistently enforced at scale and across environments.

Task-based (or imperative) automation doesn’t provide the same benefits. While this approach works well for orchestrating a sequence of events and automating one-off tasks, it lacks the concept of desired state. The result is that a compliant configuration can easily be overwritten and, unless a user happens to notice the change, it won’t be corrected. There is no source of truth to which to automatically revert.

Keeping Pace with Regulatory Change

Our customers tell us that one of the biggest challenges they face in trying to maintain compliance is keeping up with new and changing regulations. If the desired state you’ve defined doesn’t reflect the most up-to-date compliance controls, it doesn’t do you much good. Most compliance scanners can take weeks or even months to incorporate updates, so they won’t immediately detect a violation of an updated rule.

Puppet Comply helps close that gap. It leverages CIS-CAT® Pro to assess your infrastructure for compliance with CIS Benchmarks. The Center for Internet Security® (CIS®) defines the CIS Benchmarks and maintains the CIS-CAT assessment tool, so Puppet Comply scans always reflect the latest benchmark updates.

When you need to update a configuration accordingly, you can modify the desired state in Puppet Enterprise, and the change will be reflected on all systems to which it is applied. This can save a ton of time and mitigates the risk of error that comes with manually making the same change on hundreds or thousands of individual machines.

Automation is Essential to Managing Compliance at Scale

By this point, it should be evident that automation is integral to a successful compliance program. But automation comes in many forms designed to achieve a variety of outcomes. For compliance, where it is essential to ensure that systems remain in their desired state, model-driven automation is the best approach. Without it, you’re stuck in an endless loop of drift and remediation — constantly working at the same task only to have it reversed, like Sisyphus with his boulder.


Learn More