Security and Compliance as Code

You’ve just fixed all the security vulnerabilities from the list given to you by IT Security, only to receive a new list with yet more of them. And your soul-crushing cycle of remediation starts again. Sound familiar?

Wouldn’t you and your IT Ops team rather be ahead of the IT Security Team, proactively scanning servers and implementing security and compliance as code? What about enforcing security and compliance with regular agent runs?

Puppet Enterprise and Puppet Comply can help to permanently reduce the efforts for finding and fixing vulnerabilities.

Puppet Enterprise offers the ability to describe security and compliance as code, for both Unix and Windows systems. An agent on the servers ensures that the desired configurations are enforced. At the same time an enforcement compliance report is created. This eliminates the soul-crushing task of fixing vulnerabilities on each server manually. Provisioning new systems is accelerated as well, as all the security rules are enforced from day 1.

As the desired state code for your security rules is managed in a version controlled repository, changes can be easily traced and documented. Changes can be rolled out automatically if the change management process includes a Continuous Delivery pipeline. Otherwise changes can be rolled out during defined change windows.

Puppet Comply supports the IT Ops Teams in proactively checking the security and compliance state of their systems against well-known public benchmarks. For CIS compliance, Comply uses the CIS-CAT Pro scanner from CIS itself to check the servers for compliance with the controls in the their benchmarks. If aspects of the system are found to be non-compliant, they can be remediated by using Puppet Enterprise’s desired state configuration enforcement to reconfigure the servers. By using the CIS-CAT Pro scanner, an updated scanner is immediately available when new versions of the CIS benchmarks are released.

In combination with scans done by the IT Security Teams, a four-eyes principle can be established to increase security and compliance. Furthermore, the ability for the IT Ops team to immediately validate that a remediation has fixed a compliance issue, can significantly shorten the lead time to get your infrastructure to a compliant state.