Puppet’s journey into Continuous Compliance
During my tenure at Puppet, I’ve learned that almost everything we do is focused on two things — eliminating soul-crushing work, and the never-ending desire to solve really hard customer problems. Couple those with the positive and energetic attitude of the Puppet team, and we’re bound to have a profound impact on our customers. ~~Maybe I’ve had too much Kool-Aid?~~ But I really believe we’re onto something here…
Our newest solution, Puppet Comply, carries on this theme.
Customers have used Puppet for compliance long before Puppet Comply, and prior to the CIS Compliance service launched earlier this year. That’s because Puppet Enterprise allows our customers to take a model-driven approach to configuration management. With PE, customers can define how a system is supposed to look, so that when it gets deployed, it’s automatically configured to the desired state. If the defined configuration changes, Puppet reverts the system back to desired state, eliminating the problem of configuration drift. That’s awesome.
Naturally, this approach to configuration lends itself very well to compliance. I can define how a compliant system looks based on regulatory frameworks and internal security policy, and have PE enforce it. This keeps me automatically and continuously compliant. While Puppet Enterprise is great at enforcing compliance with a defined policy, it doesn’t help you understand HOW compliant you are. There are still some missing puzzle pieces: What’s my overall level of compliance? Which systems are out of compliance, and what do I need to remediate? That might be okay for some, but it’s not okay for most.
Our customers have asked us to provide visibility into their compliance status because defining the model isn’t enough anymore. Companies have entire programs, teams, and resources dedicated to managing compliance programs, and all of the processes and activities within them. They need to have solid programs, and they need to be able to provide proof of compliance. I once heard a customer refer to this as the burden of proof. It’s serious stuff.
So what did Puppet do? We listened.
Puppet Comply is a solution. It is the combination of a new product and our CIS Compliance Service and it is available today.
I already know what you’re going to ask.
Why a combination of a product and services?
TL;DR: it’s hard.
Comply will provide customers with the required assessment capabilities through the product. We’ve partnered with the Center for Internet Security (CIS) for both the benchmark content and assessment technology to bring our customers the industry standard in benchmarking, joined by a purpose-built assessment tool directly from the source.
Our expert services team will serve as an extension of a customer’s team, helping them bridge skill and resource gaps through compliance assessment, remediation, and enforcement of CIS benchmarks. They’ll help customers craft Puppet modules specifically for their environments, provide training on best practices, and enable them with all of the necessary tools for continued success.
This is just the beginning of Puppet’s journey into compliance, and we’re excited. We’ve got lots of great features on the roadmap to help our customers drive successful outcomes in their compliance programs. We hope you’ll check out Puppet Comply and share your feedback.