June 30, 2023

Managing Compliance: Tips + Strategies for Breaking the Vicious Scan-Fix-Drift Cycle

Security & Compliance
Infrastructure Automation

Managing compliance can seem like a losing game. It seems like you'll never be ahead – like you'll always be fixing drift after it happens, only for your configurations to inevitably slip again. Managing compliance becomes a vicious cycle of scanning to hunt down drift, fixing it as best you can, and waiting for it to happen again.

Compliance as code can help you define your desired state. But for actually maintaining and managing compliance, there's nothing more important than a declarative model for compliance enforcement. In this blog, we'll explain the compliance risks posed by configuration drift and how automation can help you break the scan/fix/drift/repeat cycle.

Back to top

What is Compliance Management in IT?

Managing compliance in IT means keeping system configurations compliant with IT security frameworks and regulations. Tasks for managing compliance include compliance scanning, drift remediation, configuration management, and more.

Compliance management is more than a checklist. It means using tools and frameworks to define, monitor, and enforce compliance in your systems. Configuration drift is one of the hard-to-deal-with factors that can make managing compliance feel like an uphill battle.

How Drift Makes Managing Compliance Hard for IT Teams

Every change your team makes to system configuration – whether accidentally or on purpose – runs the risk of altering or modifying the configurations your compliance is built on. Somehow, the compliant configurations you thought were rock-solid start to crumble over time.

Here’s how it usually goes: 




Use a compliance scanner to find drift and uncover noncompliance in your IT and infrastructure. 

Remediate drift and bring systems back into compliance manually or use automation for compliance management. 

One-off changes, unauthorized modifications, unverified patches, and other actions cause configuration drift. 

Configuration drift is more than just an annoying problem. Managing drift can mean the difference between security and vulnerability; between smooth operations and costly downtime; between passing with flying colors and getting tangled up in audit after audit.

Configuration Drift Throws Your Systems Out of Compliance

This one’s pretty obvious, but it’s the most immediate issue drift presents for your compliance management. If multiple people have access to the environment, changes are almost inevitable – even if you deploy infrastructure in a compliant state.

All kinds of manual configuration, whether pushing code or applying a patch, presents some amount of risk to your compliance. Say a sysadmin manually edits a managed registry key or changes the password on a local account. Even a minor update can result in configuration drift that brings a system out of compliance – and a lot of “minor updates” can happen in the window between compliance scans. In the meantime, you may be out of compliance without even knowing it.

Manual Changes are Hard to Track (and Prove)

Without a paper trail, it’s hard to maintain an accurate baseline configuration. It also makes compliance audits tough, because many auditors require evidence of compliance – which doesn’t account for undocumented changes and one-offs.

If unauthorized or bespoke changes are being made without clear visibility into who made the change, why it was made, and how it impacts compliance, your team will probably end up spending a lot of time hunting down that information when audit time comes around.

Configuration Drift Can Happen with Routine Patches and Updates

If you apply updates, patches, and hotfixes without knowing how they’ll impact your system, they can contribute to drift by modifying configurations. When updating software, visibility is key to preventing undocumented drift.

Unaddressed Configuration Drift Only Gets Worse Over Time

The longer drift happens without you noticing – or the longer you ignore it – the further out of compliance you’re likely to be when you perform a scan or get audited. Also, the lower your compliance, the harder it can be to get back to your desired compliance.

Without a way to continuously track and enforce the configurations you define, every compliance scan will likely turn up numerous violations. You’ll spend time remediating them, drift will occur, and the cycle continues.

Back to top

How to Manage Compliance

The basic steps of compliance management include assessing noncompliant systems, prioritizing the biggest issues, patching or reconfiguring systems, and reporting on changes that were made.

If you're not compliant, you're less secure and more vulnerable to security breaches and cyberattacks. If you fail a compliance audit, you might also be charged a fine, be stripped of certifications, and ultimately lose business.

Managing compliance comes down to a few basic steps:

  • Assessment: Use a compliance scanner to locate noncompliant systems, configurations that have drifted, or software that needs patching.
  • Prioritization: List out the issues you found and organize them by how big an impact they have on your compliance and how much effort they'll take to fix.
  • Remediation: Remediation can mean patching software, rewriting configurations to adapt to the vulnerability, or enforcing previous compliance configurations that have drifted.
  • Reporting: In managing compliance, a paper trail is important. Once you've remediated compliance errors, validate your changes and report on what changed and why.
Back to top

Compliance Management Best Practices

Best practices for compliance management include regular scanning, patching, testing, and automating compliance with configuration as code.

  • Scan your systems regularly for compliance. Do it daily to catch compliance issues like drift early.
  • Patch your software. Patches are a great way to keep your apps and systems compliant and secure. Apply CVE patches as soon as they become available. Schedule regular patching on a cadence that works for you (like biweekly or monthly).
    • Of course, test patched systems using CI/CD to make sure they’re secure, compliant, and reliable before sending them back to production.
    • Falling behind on patching? Pick up the slack with better patch management >>
  • Use APIs to integrate compliance management tools. Compliance management is a lot easier when you can do it with simple dashboards and interfaces you’re used to.
  • Automate compliance. Compliance management comes down to repeating common tasks over and over to keep systems compliant. Scanning, fixing, and testing can all be written as code, automated, and repeated with compliance configuration management.

Choose Declarative Automation, Not Imperative Automation

Your choice between the two main types of IT automation plays a huge role in managing compliance.

Declarative Automation

Using model-driven (or declarative) automation in a tool like Puppet lets you define the desired state of a system in accordance with your compliance policy. Then, it continuously enforces the specific controls that must be in place on a specific server or operating system with policy as code.

In Puppet, if a user makes a change that alters a configuration, it will automatically revert to its compliant state on the next Puppet run. The same configuration can be applied to any system during provisioning, whether it lives on-prem or in the cloud, ensuring that controls are consistently enforced at scale and across environments.

Imperative Automation

Task-based (or imperative) automation, on the other hand, doesn’t provide the same benefits because it lacks the concept of a desired state. Imperative automation can orchestrate a set sequence of events to automate one-off tasks. But when someone or something overwrites a compliant configuration, it won’t be corrected automatically because there’s no source of truth to which to automatically revert.

⚙️🔒 Start automating your compliance policy as code with our free eBook >>

Keep Up with Compliance Frameworks + Regulations

Puppet users tell us that keeping up with regulations is one of the biggest challenges they face in trying to maintain compliance. If the desired state you’ve defined doesn’t reflect the most up-to-date compliance controls, it doesn’t do you much good. Most compliance scanners can take weeks or even months to incorporate updates, so they won’t immediately detect a violation of an updated rule.

Puppet Comply, a premium add-on to Puppet Enterprise, helps close that gap. It leverages the CIS-CAT® Pro Assessor from the Center for Internet Security (CIS) to assess your infrastructure’s compliance with internationally recognized CIS Benchmarks. With this integration, Puppet Comply scans always reflect the latest CIS Benchmark updates so you’re never a step behind.

Compliance Enforcement for Puppet Enterprise revert drifted configurations to automatically align with CIS Benchmarks and DISA STIGs. Automatically enforcing these primary frameworks saves time and mitigates the risk of manually managing compliance on hundreds or thousands of individual machines.

DBS Bank

DBS Bank, a leading financial services group headquartered in Singapore, found that configuration drift was hampering their in-house security system. It took a team of 13 dedicated engineers to generate reports and remediate security configurations across their hybrid cloud infrastructure. DBS Bank freed up the majority of that staff (and their valuable time) by replacing mandatory drift remediation with self-healing infrastructure-as-code from Puppet. They automatically enforce desired compliance across their infrastructure, aligned with DISA STIGs and other important compliance frameworks.

Curious? Get a demo of Puppet Comply and watch compliance scores rise >>

When you need to update a configuration accordingly, you can modify the desired state in Puppet Enterprise, and the change will be reflected on all systems to which it is applied.

Back to top

Automation is Essential to Managing Compliance at Scale

By this point, it should be evident that automation is integral to a successful compliance program. But when you’re trying to manage compliance, your choice of automation tools actually does matter. 

For compliance, where configuration drift is non-negotiable, you need model-driven automation supported by compliance tools – ones that can monitor for drift and enforce your custom desired compliance configurations. Without those, you’ll get stuck in an endless loop of drift and remediation. 

Try Puppet Enterprise and get a demo of the Puppet Comply add-on for free to find out how desired state automation can help you configure and enforce desired compliance across your systems. 


Back to top