Scanning, Understanding + Remediating: Reducing Compliance Struggle with Puppet Comply

00:00:19 Demetrius Malbrough Hey, everyone, thanks for joining this episode of Pulling the Strings podcast powered by Puppet, and I'm delighted to be your host. My name is Demetrius Malbrough.

00:00:28 Demetrius Malbrough I'm on the product marketing team here at Puppet, and I am really excited today to talk with Alex Hin. And Alex comes from a background in cybersecurity, but has spent time also in telecom, data protection and mobile. And most recently, he's been diving into the world of whiskey. Man, that's that's a really, really nice thing to dive into and he is currently enjoying some whiskey from Japan. So I am really looking forward to hearing about that Japanese whiskey. So, Alex, welcome to Pulling the Strings and how are you?

00:01:05 Alex Hin Thanks, Demitrius. Thanks for having me. I'm excited to be here. It's a great day. It's a beautiful day in Toronto where I live. And yeah, I'm just excited to be part of this. This is the super awesome man.

00:01:17 Demetrius Malbrough I really love Toronto. And I always say that it is comparable to Manhattan. You know, when I went it, there were lots of lights and that had the big city vibe and there were also people on the street juggling and doing other nice, fancy activities that they normally do around New York. So I'm looking forward to getting back there.

00:01:39 Alex Hin Yeah, it's got that same kind of vibe. Lots of like lots of life happening out on the streets, people out and about all the time, not just like not on weekends, but like during the day. Any time you go to Toronto, there's something happening either in like a park or a square. But the city's alive, it's very vibrant and there's lots of really neat things and cool things to do here.

00:01:58 Demetrius Malbrough Well, awesome. So let's dove into some of the questions about the topic today. We're going to talk a little bit about Puppet Comply. So kick us off with, I guess, behind Puppet Comply would be compliance. So first of all, what is compliance? And tell us a little bit about the history behind it.

00:02:22 Alex Hin Yeah, compliance. I guess when people think about compliance, it's like an adherence to a standard or a benchmark, right, like a set of guidelines or rules that people should should follow, like a policy of some sort. I sort of see it as, you know, when you join a sports team or you're in like a hockey league or a football league, there's a bunch of rules that you need to follow. There's a code of conduct that you need to follow. Compliance is very similar in that sense. What you do and how you configure your systems or your environment, you know, should have some sort of guidelines, should have some sort of overarching principles behind it. And it's just something that people have turned to and looked to to help them get started in things like secure configuration and just sort of looking at how the rest of the industry looks at things and does things and really just a migration from a free-for-all type mentality when it comes to configuration to a more structured approach to it. The history behind it. I mean, I think it's it people at some point realize that what they needed was help and they needed to make sure that, you know, in the industry that they're in, they followed what those best practices were and they look to organizations to help them understand what that might be. And so probably compliance has been around for longer than we know, but I think the highlight and the spotlight on compliance has really shaped up over the last 10 to 15 years.

00:03:50 Demetrius Malbrough And, you know, I would agree with that as well, Alex, because, you know, most of these regulatory requirements, you know there's a ton of them, a lot of acronyms like PCI and NIST and FISMA. I think that's how you pronounce it. But please forgive me if that's not how you pronounce it. I know about HIPAA. I participated in some HIPAA projects, GDPR, which is still sort of new, and CCPA on the California side, ISO 27000 and I guess 27001. So they're a ton of regulatory compliance and compliance requirements that are out there. So I guess this is where Puppet Comply comes in because there are so many of these requirements that Puppet Comply would probably fit in that particular space and make it a lot more simpler and easier in order to comply with some of these regulations. So why is compliance so hard? Besides, there are maybe 50 or so different acronyms.

00:04:57 Alex Hin I would say primarily there's so many of, you listed off a good handful of them, and at some point we sort of just forget what the acronyms stand for and we just know that, you know, we need to be compliant to those regulations. But compliance is hard because automating compliance is hard. In a lot of cases in the past, you would have compliance things like, well, is there a lock on your door or is there a lock to your server room? And then it became into what is your is your computer firewall set this particular way or your password policy set in this particular way? And as technology evolves, it becomes more complicated and environments become more complex, especially now when we're seeing a lot of environments move from on prem into cloud, but not completely. And what I mean by that is we see a lot of hybrid environments now. And as those environments get more and more complex, your business systems get more complex, your business applications get more complex, and you start to easily lose sight of your entire infrastructure or your entire network. And so for compliance, if you do it once on one particular, you know, server or node or whatever, it may be that simple. But when you start taking that process and thinking about how well, how do I do it in my on prem, how to do it in my in cloud, how do I do it in a hybrid, what's my infrastructure look like, what's my business application look like? How do I do compliance without having a negative impact in my overall business and the ability for me to operate my business? There's a lot of "if, then, buts" when it comes to a compliance program and so, let alone like there's like 50 different compliance standards out there, just even dealing with the one that we have in front of us. And our focus at Puppet, for right now, is this CIS compliance that's still challenging. It's not just a you know, I want to follow this regulation or this body. There's people involved and there's teams involved. And not only like the environments are complicated, but working with teams are complicated and start to get more challenging if you have more distributed teams and the larger your teams grow because, you know, we hope that all of our customers, their environments grow and their complexity grows because their business is growing. But when your business is growing, your teams grow. You need more people. And that kind of makes things it compounds a lot of that, those challenges and it almost exacerbates them a little bit more and more as things get more complicated.

00:07:24 Demetrius Malbrough And, you know, you mentioned teams and growing and right now we're still in COVID-19. So this entire work from home movement, things are getting a lot more digital and complicated as well. And so teams, it's very important for teams to be tightly integrated into work together. So I see this as being really key and critical to making sure that all of the efficiencies are tapped into around compliance and especially CIS. But you know, what is CIS? Because I was unable to explain what it was. So can you break that down for us? What's CIS and what are these benchmarks and why are these benchmarks important?

00:08:04 Alex Hin Yeah, there's yeah, there's definitely a lot of lingo that that comes in this space. CIS is the standard for Internet security. And they're a nonprofit organization that relies on community contribution to build out these benchmarks. And so they've done a really excellent job at recruiting experts in different operating systems and applications like databases and web servers. And they've been able to pool that expertize together and create these things called benchmarks. And these benchmarks are an outline of how one should configure a system or an application. And these benchmarks really enforce the idea that configurations need to be secure, not only to protect the integrity of the application or the business, but also to protect customers information and data should they be on those systems. And really, what CIS has done a really great job at is is pooling together enough experts across the industries to become the de facto standard for benchmarks and compliance.

00:09:07 Demetrius Malbrough All right. So, yeah, I appreciate you explaining that, Alex. So if you don't mind if can we get a little more technical, maybe maybe go a little deeper for the audience exactly around what does Puppet Comply do, you know, how does it work? I know myself that it does kind of a scan across, you know, different types of infrastructure. So let's say hybrid infrastructure to assess compliance with CIS benchmarks in particular. And it also, I guess, lets you see the entire health of your environment across a dashboard. Can you go a little more into depth around, I guess, some of the details around how it works?

00:09:53 Alex Hin Yeah, absolutely. For us, Puppet Comply is a solution. It's more than just a product. And the way that we we like to think about compliance as a problem is that because it's so challenging and difficult and hard, we see Puppet Comply being a unique combination of a product and a professional services engagement. And kind of before I get into the technical details of how it all works, the reason for this is because, I mean, we've talked about it all podcast long is compliance is hard, it's difficult. But, you know, our team of experts at Puppet are really well equipped to help our customers achieve success in their compliance programs. Like we see our team being an extension of our customers' teams working towards the same goals and providing the same type of input and expertize that one would expect from a Puppet services engineer. And so we see it as a product and a service, and that helps our customers be successful. The product side of Comply has dashboards, scanning capabilities, but what it does is it actually has a local agent that is already deployed in a customer's environment. So if a customer has Puppet Enterprise already deployed in their infrastructure, Puppet Comply leverages that same agent and performs an assessment against a CIS benchmark. And everything's executed through Puppet Enterprise. And what that does is the user, the customer, gets a nice dashboard that provides all of that great compliance information from the overall score, the rule details including how to fix it. And in a really simple and quick way of getting through the data. And what I mean by that is because of the way that we've architected our scanning capabilities into Puppet Enterprise, we're able to perform assessments very, very, very, very quickly and efficiently because it's local, it's local to the system that it's on. And so the results come back very, very fast. And I've actually, a funny story, I had the opportunity to demo Puppet Comply to many customers and each time I toy with the idea of whether or not I want to do a live assessment or just show the data. And each time I've gone to doing a live assessment, so on a call with a customer, I will actually hit the scan button and wait for the results to come back. And I'm glad to say that it hasn't failed me yet because sometimes you know that the demo deities aren't in your favor. But it's it's amazing how fast the information comes back and how quickly people are able to kind of jump into the data and see where they need to maybe put some more effort into fixing the issues. So Puppet Comply gives you the understanding of compliance and then our customers can turn to our professional services team or the Forge or even build their own modules to implement remediation and they can apply those remediations through Puppet Enterprise.

00:12:44 Demetrius Malbrough OK, so the services component of it. So help me understand, where does the services component I guess, come in, come into play here? Because if you have Puppet Comply and it's installed and running in the background and ready to go, where does the services component come into play and why is it needed?

00:13:05 Alex Hin Yeah, it's it's a really great question. Our services team is well equipped to assist in pretty much any way that is needed for a compliance program, whether it be understanding like scope and visibility, taking actions on remediation. So building up those modules, you know, is a huge value add from our services team because sometimes they get complicated, but they also need some tailoring into a customer's environment, right. So that's where our services team really shines. It's in the expertize of how to leverage the Puppet platform or the Puppet family of products in achieving those compliance goals. And our team isn't just here to write modules, they're here to provide guidance, to provide efficiencies and process improvements into a compliance program. So it's not just a one and done type of engagement. It is a here's what you need to think about, here's how you resolve these issues, here's the actual things you need to do to resolve those issues, and here's how to fix and update things as time goes forward. And so, you know, our focus on the solutions side is really to make sure that our customers have success not only right off the bat, but ongoing success in their compliance program.

00:14:14 Demetrius Malbrough Yeah, you know what? It actually makes sense, because if you have, let's say, 100,000 systems, then you more than likely would probably benefit from having some more professional services involved to kind of help you really tailor and stand up that particular service in the environment to make sure that it is operating efficiently in the environment, in that it also is fully, fully, fully tailored to that specific environment, especially across your teams. And you might also even need someone to show your teams the way around the product and some of the actual things that they need to do to make sure that everything is running smoothly. So, yeah. I appreciate you explaining that, Alex. And I guess maybe doubling back on the issue around teams, and where do you think some of the teams might struggle just with compliance in general? And also once again, where with the Puppet Comply family fit in into that particular puzzle?

00:15:21 Alex Hin Yeah, I think the real strength is in the Puppet portfolio, in the Puppet Enterprise site. And Comply offers assessment and status and dashboard and information in a really easy to understand way. But that's just part of the puzzle, right? There's in my mind, there's three sort of key activities in a compliance program. Assessment is the first one, remediation is the second one and a third one, which is really a combination of the first two, which is enforcement. Assessment is where product employee provides that capability is to understand compliance against the benchmark. When we talk about remediation, which I think is the most challenging aspect of a compliance program, remediation is about fixing those issues that come up, in a lot of cases, in many compliance programs it's usually a handoff, a very serial process. So some team somewhere, does an assessment and they get all the results. And what they need to do is they need to figure out which ones need to get fixed, which ones are the failed ones that need to get resolved. And they compile this big list of failed compliance things and they send that over to the team. In most in most cases, the infrastructure and IT Ops teams are the ones that are responsible for fixing it. So they have this this report that says here's all the things I've failed to give it to a team and they say, well, here's all the things you need to fix. Fixing things, if you do one server, one node, maybe five, maybe even 10. Pretty simple, right? You can you can manage that. But when you're talking about like a thousand, ten thousand, fifty thousand, you know, you can't just do those things manually. You need automation. You need a way of hitting all of those servers quickly and efficiently. And really, you don't need to do it fifty thousand times. You should really just do it once and then apply it across all fifty thousand. And that's where, like the power of Puppet Enterprise comes in, it's because you can push these changes out to all of the nodes that need to have these changes be implemented, with a few clicks. And you don't you only do it once. You need to code it or define it once, and then you're done and you send it out and then it gets it gets completed for you. That's the hardest part, right? Because without automation, it becomes manual. And yes, some people have done things like scripting or they're enforcing group policy and things like that. But that's not scalable in the same way that Puppet Enterprise scales automation. And then sort of the last part of the activities is enforcement. But enforcement, like I say, is really just a combination of the first two. You assess and remediate and then you assess and remediate and then you assess and you remediate because you have to see you have to wait and see if your changes were the right ones and were successful. So the only way of doing that is you assess them again and you see if it's been fixed by the very nature of an assessment and looking at the report. Where Puppet Enterprise really helps customers with the enforcement is, you know, desired state configuration. And so that might be a big term, but what it means is you can define what your system is supposed to look like. And at any time, if your system does not look like that, Puppet, the Puppet agent will change your system so that it looks like what you've defined it as. So you don't have to worry about someone like going on your server and making a change, like opening up a firewall or changing the password policy. Puppet Enterprise can just flip those things back even after someone's changed it.

00:18:39 Demetrius Malbrough Wow. OK, that was a lot. So I appreciate you breaking it down. I like that framework. Assess, remediate and enforce. Have you heard this thing: compliance as code? is that something we created or is that is that new or not new.

00:18:52 Alex Hin Yeah, I've heard of compliance as code. It's effectively what we're doing right. You code what compliance means to your organization and you regularly enforce it by executing the code. And you can even consider it a subset of infrastructure as code because it's the same idea. Right. I wanted to define something once. I want to have that code executed on my server or node. And then that's the last time I really need to do anything about it. Right. And so, yeah, compliance as code. Yeah, that's what we that's what we have with a Puppet Enterprise and our Puppet portfolio. But it's a term that's been around for a little while and more and more companies are sort of latching on to the idea as more and more things becomes, you know, something as code. That's it's almost like a trending buzzword. You know, pick your noun, compliance is something that's becoming more and more important. And more and more customers and companies are like, oh, no, this compliance is the real deal. I need to worry about it, because if not, I'm going to have penalties or I'm going to be trouble. And, you know, it's just becoming, the importance of it is becoming more and more. And so the need for something like Comply and Puppet Enterprise is so much more important in an organization because we can do things at scale and we can do things quickly.

00:20:03 Demetrius Malbrough Yeah, and I guess when this comes up a lot is during the annual or quarterly audit, no one wants to fail an audit. So I'm sure that Puppet Comply would fit perfect within that particular category around making sure that audits are successful from that perspective and that you're not dealing with fire drills, like I've heard some stories about fire drills around audits and not being able to pass the audits because, you know, you just don't have the right tool set involved in order to produce the information that's needed. And it sounds like Puppet Comply would definitely fit to that puzzle to help you kind of, I guess, reduce that burden of preparing for an audit, would you say?

00:20:46 Alex Hin Yeah, absolutely. I think you hit the nail on the head. Right. Audits tend to be fire drills for an organization or a team. And if audits happen frequently, in some cases they do, it's like a nonstop fire drill. With Comply and Puppet Enterprise, you know, we feel like our customers can be a lot more proactive in their whole overall compliance. So when an audit does come, it's not like it's not a mad scramble to getting things done or to getting things in tip top shape, those investments tend to be really heavy and really resource expensive. But if customers can be proactive, it means that they don't, you know, they don't have to deal with moving a boulder all at once. They can deal with, you know, moving the pebble with a rock, you know, on a regular basis. That way it's a little bit easier for our customers to deal with it. I've heard stories where some of our customers during audit time they, effectively, just show. You know an auditor comes and goes, you know, show me show me your audit process and how do you maintain compliance? And in some cases, I've heard stories where our customers effectively just show the auditor Puppet Enterprise plus a module they use and the auditor the cool. I know Puppet. I know how it works, then it's good. It looks good to me. I know that, you know, Puppet to trust the technology in desired state configuration. So no need to worry about changes or drift or anything like that.

00:22:05 Demetrius Malbrough Yeah, that is pretty awesome. And that's the power of Puppet. So this was definitely cool. Is there a website or a place that some of our listeners can go to get more information about Comply, or what about maybe linking in with you or connecting with you, Alex?

00:22:23 Alex Hin Yeah, absolutely. Our official product page is Puppet.com/products/puppet-comply or you can find it from the home page as well. There's a navigation bar at the top that'll lead you to our products. Also, you can find me on LinkedIn, Alex Hin, and, you know, feel free to reach out, ask questions. I'm fairly responsive there and I'm just happy to engage with people, to talk all things compliance. It's an exciting time for myself and also at Puppet, got a lot of things to be excited about and lots of work ahead of us.

00:22:54 Demetrius Malbrough Now, you know, you're not getting off that easy without giving us a recommendation of your favorite Japanese Scotch. So, yeah, lay it on us.

00:23:02 Alex Hin OK, so the first one that I got is the one that I actually enjoy the most and it's by Santori House and that I guess that's the company name, but the whiskey is actually called Toki and this is a I would classify this as a summertime, summer evening kind of whiskey. It's light, it's fruitful, it's easy to drink. It doesn't have a lot of smoke or spice to it. It's just something that just, you know, to me when I have it, I have it, you know, sun setting, I'm out on the patio, just winding down my day, have a little bit of this Santori Toki and they really just caps off my night for me. I really enjoy that one. So check that one out.

00:23:46 Demetrius Malbrough Yeah. It sounds like a glass of that goes very well with the Puppet Comply, that you actually pour up a glass of that, you log in to Puppet Enterprise and then you click the scan button. I don't know if that's correct or not because I haven't played around with it. So slap me on the hand, Alex. You pour that glass of Toki and you just sit back and watch those messages roll in that all the green has shown up, you know, things are getting resolved, right. So yeah. I appreciate that recommendation. I'm going to have to take a look at that. Is that an expensive bottle or middle of the road? You know what is, what's the price point?

00:24:29 Alex Hin Yeah. So in Canada, it's about $70 for the bottle. But I do know that in the United States, you can actually find it at some Costco's, as well. So I believe it is more on the lower end in terms of the price point. It's definitely not on the expensive side, but it's something that is widely available as far as I can tell.

00:24:48 Demetrius Malbrough All right. I'm a Sam's Club guy, so I'm going to have to check to see if they have it. But if not there are liquor stores on the corner, just as churches are, so they are very, very prevalent. So, Alex, I appreciate you coming on Pulling the Strings podcast. How about Puppet? I would like to thank you for sharing with us. And until next time, you have a fantastic day.

00:25:11 Alex Hin You too, Demitrius. Thanks for having me.