Managing Compliance Drift: Break the endless scan-fix-drift cycle
In the first post of this series, we provided guidance for managing the many facets of a compliance program — taming the “compliance beast.” While there are many factors to consider, I’d argue that none is more essential than a reliable means of enforcement.
The only constant is change
Call it entropy or call it drift. Somehow things that you thought were locked down and cast in concrete have a tendency to devolve over time. When it comes to compliance, however, the stakes are too high. We can’t simply accept configuration drift as a fact of life.
While infrastructure is initially deployed in a compliant state, it’s almost inevitable that changes will occur over time when multiple people have access to an environment. Say a sysadmin manually edits a managed registry key or changes the password on a local account. Even a minor update can result in configuration drift that brings a system out of compliance. And a lot of “minor updates” can happen in the window between compliance scans, during which time you may be out of compliance without even knowing it.
Without a way to continuously enforce the configurations you define, every compliance scan will likely turn up numerous violations. You’ll spend time remediating them, drift will occur, and the cycle continues…
Breaking the cycle
Model-driven (or declarative) automation breaks the endless scan-fix-drift cycle. With Puppet’s model-driven approach, you define the desired state of a system in accordance with your compliance policy — the various controls that must be in place on a specific server or operating system — and that end-state is continuously enforced. If a user makes a change that alters a configuration, it will automatically revert to its compliant state on the next Puppet run.
The same configuration can be applied to any system during provisioning, whether it lives on-prem or in the cloud, ensuring that controls are consistently enforced at scale and across environments.
Task-based (or imperative) automation doesn’t provide the same benefits. While this approach works well for orchestrating a sequence of events and automating one-off tasks, it lacks the concept of desired state. The result is that a compliant configuration can easily be overwritten and, unless a user happens to notice the change, it won’t be corrected. There is no source of truth to which to automatically revert.
Keeping pace with regulatory change
Our customers tell us that one of the biggest challenges they face in trying to maintain compliance is keeping up with new and changing regulations. If the desired state you’ve defined doesn’t reflect the most up-to-date compliance controls, it doesn’t do you much good. Most compliance scanners can take weeks or even months to incorporate updates, so they won’t immediately detect a violation of an updated rule.
Puppet Comply helps close that gap. It leverages CIS-CAT® Pro to assess your infrastructure for compliance with CIS Benchmarks™. The Center for Internet Security® (CIS®) defines the CIS Benchmarks and maintains the CIS-CAT assessment tool, so Puppet Comply scans always reflect the latest benchmark updates.
When you need to update a configuration accordingly, you can modify the desired state in Puppet Enterprise, and the change will be reflected on all systems to which it is applied. This can save a ton of time and mitigates the risk of error that comes with manually making the same change on hundreds or thousands of individual machines.
By this point, it should be evident that automation is integral to a successful compliance program. But automation comes in many forms designed to achieve a variety of outcomes. For compliance, where it is essential to ensure that systems remain in their desired state, model-driven automation is the best approach. Without it, you’re stuck in an endless loop of drift and remediation — constantly working at the same task only to have it reversed, like Sisyphus with his boulder.
Simone Van Cleve is a Product Marketing Manager at Puppet.