Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Managing compliance can seem like a losing game. It seems like you'll never be ahead – like you'll always be fixing drift after it happens, only for your configurations to inevitably slip again. Managing compliance becomes a vicious cycle of scanning to hunt down drift, fixing it as best you can, and waiting for it to happen again.
Compliance as code can help you define your desired state. But for actually maintaining and managing compliance, there's nothing more important than a declarative model for compliance enforcement. In this blog, we'll explain the compliance risks posed by configuration drift and how automation can help you break the scan/fix/drift/repeat cycle.
Managing compliance in IT means keeping system configurations compliant with IT security frameworks and regulations. Tasks for managing compliance include compliance scanning, drift remediation, configuration management, and more.
Compliance management is more than a checklist. It means using tools and frameworks to define, monitor, and enforce compliance in your systems. Configuration drift is one of the hard-to-deal-with factors that can make managing compliance feel like an uphill battle.
Every change your team makes to system configuration – whether accidentally or on purpose – runs the risk of altering or modifying the configurations your compliance is built on. Somehow, the compliant configurations you thought were rock-solid start to crumble over time.
Here’s how it usually goes:
Use a compliance scanner to find drift and uncover noncompliance in your IT and infrastructure.
Remediate drift and bring systems back into compliance manually or use automation for compliance management.
One-off changes, unauthorized modifications, unverified patches, and other actions cause configuration drift.
Configuration drift is more than just an annoying problem. Managing drift can mean the difference between security and vulnerability; between smooth operations and costly downtime; between passing with flying colors and getting tangled up in audit after audit.
This one’s pretty obvious, but it’s the most immediate issue drift presents for your compliance management. If multiple people have access to the environment, changes are almost inevitable – even if you deploy infrastructure in a compliant state.
All kinds of manual configuration, whether pushing code or applying a patch, presents some amount of risk to your compliance. Say a sysadmin manually edits a managed registry key or changes the password on a local account. Even a minor update can result in configuration drift that brings a system out of compliance – and a lot of “minor updates” can happen in the window between compliance scans. In the meantime, you may be out of compliance without even knowing it.
Without a paper trail, it’s hard to maintain an accurate baseline configuration. It also makes compliance audits tough, because many auditors require evidence of compliance – which doesn’t account for undocumented changes and one-offs.
If unauthorized or bespoke changes are being made without clear visibility into who made the change, why it was made, and how it impacts compliance, your team will probably end up spending a lot of time hunting down that information when audit time comes around.
If you apply updates, patches, and hotfixes without knowing how they’ll impact your system, they can contribute to drift by modifying configurations. When updating software, visibility is key to preventing undocumented drift.
The longer drift happens without you noticing – or the longer you ignore it – the further out of compliance you’re likely to be when you perform a scan or get audited. Also, the lower your compliance, the harder it can be to get back to your desired compliance.
Without a way to continuously track and enforce the configurations you define, every compliance scan will likely turn up numerous violations. You’ll spend time remediating them, drift will occur, and the cycle continues.
The basic steps of compliance management include assessing noncompliant systems, prioritizing the biggest issues, patching or reconfiguring systems, and reporting on changes that were made.
If you're not compliant, you're less secure and more vulnerable to security breaches and cyberattacks. If you fail a compliance audit, you might also be charged a fine, be stripped of certifications, and ultimately lose business.
Managing compliance comes down to a few basic steps:
Best practices for compliance management include regular scanning, patching, testing, and automating compliance with configuration as code.
Your choice between the two main types of IT automation plays a huge role in managing compliance.
Using model-driven (or declarative) automation in a tool like Puppet lets you define the desired state of a system in accordance with your compliance policy. Then, it continuously enforces the specific controls that must be in place on a specific server or operating system with policy as code.
In Puppet, if a user makes a change that alters a configuration, it will automatically revert to its compliant state on the next Puppet run. The same configuration can be applied to any system during provisioning, whether it lives on-prem or in the cloud, ensuring that controls are consistently enforced at scale and across environments.
Task-based (or imperative) automation, on the other hand, doesn’t provide the same benefits because it lacks the concept of a desired state. Imperative automation can orchestrate a set sequence of events to automate one-off tasks. But when someone or something overwrites a compliant configuration, it won’t be corrected automatically because there’s no source of truth to which to automatically revert.
⚙️🔒 Start automating your compliance policy as code with our free eBook >>
Puppet users tell us that keeping up with regulations is one of the biggest challenges they face in trying to maintain compliance. If the desired state you’ve defined doesn’t reflect the most up-to-date compliance controls, it doesn’t do you much good. Most compliance scanners can take weeks or even months to incorporate updates, so they won’t immediately detect a violation of an updated rule.
Puppet Comply, a premium add-on to Puppet Enterprise, helps close that gap. It leverages the CIS-CAT® Pro Assessor from the Center for Internet Security (CIS) to assess your infrastructure’s compliance with internationally recognized CIS Benchmarks. With this integration, Puppet Comply scans always reflect the latest CIS Benchmark updates so you’re never a step behind.
Compliance Enforcement Modules (CEMs) in Puppet Comply revert configurations to automatically align with CIS Benchmarks and DISA STIGs. Automatically enforcing these primary frameworks saves time and mitigates the risk of manually managing compliance on hundreds or thousands of individual machines.
DBS Bank, a leading financial services group headquartered in Singapore, found that configuration drift was hampering their in-house security system. It took a team of 13 dedicated engineers to generate reports and remediate security configurations across their hybrid cloud infrastructure. DBS Bank freed up the majority of that staff (and their valuable time) by replacing mandatory drift remediation with self-healing infrastructure-as-code from Puppet. They automatically enforce desired compliance across their infrastructure, aligned with DISA STIGs and other important compliance frameworks.
Curious? Get a demo of Puppet Comply and watch compliance scores rise >>
When you need to update a configuration accordingly, you can modify the desired state in Puppet Enterprise, and the change will be reflected on all systems to which it is applied.
By this point, it should be evident that automation is integral to a successful compliance program. But when you’re trying to manage compliance, your choice of automation tools actually does matter.
For compliance, where configuration drift is non-negotiable, you need model-driven automation supported by compliance tools – ones that can monitor for drift and enforce your custom desired compliance configurations. Without those, you’ll get stuck in an endless loop of drift and remediation.
Try Puppet Enterprise and get a demo of the Puppet Comply add-on for free to find out how desired state automation can help you configure and enforce desired compliance across your systems.
TRY PUPPET FREE NOW DEMO PUPPET COMPLY
Senior Director of Product Marketing, Puppet by Perforce
Robin Tatam (CISM CPFA CTSP CTMA PCI-P) is a Product Marketer at Puppet by Perforce, where he promotes the benefits of managing compliance using Puppet. Prior to his role with Puppet, Robin worked as a Security Evangelist, and was a globally recognized SME and five-time IBM Champion. Robin also loves travel and cultural exploration, is an accomplished photographer, and considers himself an amateur mixologist.