How Swiss Re Uses Puppet to Consolidate Configuration Management for Thousands of Windows Servers
Swiss Re is one of the world’s leading providers of reinsurance, insurance, and other forms of insurance-based risk transfer. As part of their digital transformation initiatives, the company needed to move away from proprietary Microsoft tools to automate their Windows provisioning and management.
Benefits of Using Puppet:
Faster Windows provisioning
trimming weeks off the standup process
One tool to manage configurations
instead of disparate, proprietary Windows tools
Server security enforced by default
with CIS compliance built into every new machine
Challenge: Vendor Tools & Cumbersome Configuration
A fleet of 5,800 servers, including about 3,700 on Windows, provides the infrastructure for Swiss Re’s IT teams and services. At that scale, uniformity isn’t just the goal — it’s just expected.
Their main obstacle to scalable Windows infrastructure management was a lengthy provisioning process. Spinning up a Windows machine using Windows tools like SCCM, DSC, and GPOs could take weeks, which simply wouldn’t work to meet the pace and scale of Swiss Re’s business.
“The business and IT were changing,” said John Rogers, System Engineer at Swiss Re. “We started being a lot more customer focused … The IT outside of shared services wanted to get things quicker to market. [They’d say], ‘We can’t wait two weeks for this. I need my systems now, and they’d better look good.’”
When upgrading to a new Microsoft OS, the infrastructure team knew their minimum qualifications. They’d need a repeatable provisioning process, security and compliance built in, and a single tool for managing configurations if they were going to keep up.
“The time to deliver a machine to someone was typically weeks,” said Rogers. “Because you have to go to all the different systems and you have to configure things. We thought, “This isn’t really the way we want to introduce [the new OS]. This isn’t very agile.” These hangups were stalling delivery, frustrating stakeholders and, most importantly, keeping Swiss Re from reaching its business goals.
“So we [asked ourselves], ‘How do we start to manage this and give people something where every time they order a machine, it’s there quickly? It’s consistent? They all look the same?’”
Rather than burden themselves with disparate Windows-specific tools again, the Swiss Re infrastructure team opted for infrastructure as code (IaC) with a central, accessible source of truth.
Results: Fast Provisioning & Compliant Windows Machines
“We had tried to do some stuff with DSC, and in the end … We really felt [Puppet] was the right tool for us.”
- John Rogers, System Engineer at Swiss Re
Swiss Re chose Puppet after prototyping a number of configuration management solutions. They rolled out Puppet agents on all 3,700 Windows servers, giving them end-to-end automation capabilities that don’t rely on proprietary Windows configuration tools and manual processes.
With Puppet, Swiss Re saw key improvements to their infrastructure management:
- Sped up provisioning time significantly for Windows machines (including user rights assignment) in a diverse environment
- Brought 6.2 million resources under management
- Consolidated configuration management from SCCM, DSC, and GPOs to one central platform
To get the benefits of GPOs without actually having to use them, the Swiss Re team developed their own module to mimic GPOs, which helped them manage the significant resources they’d brought into Puppet.
Virtually One-Click Provisioning
With Puppet automation, Swiss Re teams no longer need to file tickets, create directories, or any of the other tasks normally associated with getting a machine ready to use. A user request in their private cloud platform triggers a microservice, which queries the configuration management database (CMDB), which is used to define configurations for the server to be provisioned. A Puppet run then executes scripts and manifests that apply the desired configurations to that new server — all with no manual touch.
Rogers explains how much of a game-changer the new process is for his department’s customers: “With our private cloud, the customer can go into the web portal and order a machine … They can say, ‘Okay, I want this and I want this’ … The customer really can click a button, and by the time they log on, the machine is built. It has all the prerequisites and everything they need to do their job.”
“No Excuses” Security by Default
Puppet also helped the Swiss Re infrastructure team back up their security goals with actionable, repeatable processes. “One of the mantras that we have at Swiss Re is that security is everyone’s job,” said Rogers. “You cannot pass off security to another team. There’s no excuse.”
That’s why, in the face of big changes to their critical infrastructure, Swiss Re looked to “the lowest common denominator” for ensuring security and availability. In other words, as Rogers put it, “How secure can I make my machine and [make sure] everyone can still function?”
Puppet lets them insist on a Windows machine that’s secure by default. That revolutionized their approach to configuring for security: Now, non-compliant Windows machines are an exception, not the rule. Combining guidance from the Center for Internet Security (CIS), like CIS Benchmarks and CIS Controls, with Puppet desired state management means they can build CIS-compliant machines out of the box. “Only if someone needs a change do we make the change,” said Rogers.
A Single Source of Configuration Truth
When it came to managing the configuration of Windows servers, a single source of truth was essential for Swiss Re’s infrastructure team. “I didn’t want to do parts of this in SCCM, parts in GPO, parts in DSC, and then some in Puppet,” Rogers said.
It was a waste of time to utilize multiple tools for the same desired purpose, leading to toil, confusion, and a lack of visibility at the enterprise level. “It was too hard to understand what was the source of truth,” said Rogers. “How do I know how my machine is supposed to be configured if I have to go to four different places to see which configuration items are true?” Now, human-readable Puppet code represents all the configurations his team needs to know — and since it’s all code, it can be monitored for change management and auditing purposes.
And for everything that wasn’t built out of the box, Puppet’s extensibility framework let the Swiss Re team integrate and tweak it to their specific needs. “So it wasn't like we were having to call out to this tool or to this tool,” said Rogers. “We could really do everything inside of Puppet.”
With Puppet automation enforcing configurations across their complex infrastructure, the Swiss Re team is managing more servers and resources than ever in a fraction of the time it used to take.
Learn how Puppet can speed up your provisioning processes anywhere you operate — including both Windows and Linux — by requesting a demo with the Puppet team.