Regulatory compliance is time-consuming and expensive. A recent survey of IT security professionals found that, on average, organizations must comply with 13 different regulations and spend an average of $3.5M annually on compliance activities, with audit-related activities consuming 232 person hours per year. With a team of five people, that adds up to 1.5 months a year devoted to audit-related activity. That’s a lot of hours that could have been spent on initiatives driving customer value. We can do better.

A programmatic approach to compliance

Taking a programmatic approach to compliance through coding and automation can save you a lot of time (and grief). Nearly all survey respondents (99%) indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence, reduced time spent being audited, and the ability to respond to audit evidence requests more quickly. Sounds great, but how do you get this done?

Let’s break it down into three key steps: define compliance policy as code, incorporate compliance checks into the software delivery lifecycle, and eliminate configuration drift with model-driven automation.

Define compliance policy as code

With few exceptions, the infrastructure requirements in your organization’s compliance policy — say, minimum password length or firewall configuration — can be defined as code, enabling policy-based management and providing a template for newly provisioned infrastructure.

Policy as code is essential to automating and scaling many of the manual tasks associated with compliance, from testing to remediation to enforcement. In short, it is the first step in bringing order to the compliance chaos, and enables the following stages.

Integrate compliance checks into the software delivery lifecycle

Compliance is often seen as a bottleneck to accelerated deployment. While DevOps, CI/CD workflows, and on-demand provisioning have increased agility in the software delivery lifecycle, compliance checks are typically manual and don’t occur until the final stages of development. Thus, when a violation is detected, it leads to re-work and delays.

According to CIO and CTO interviews conducted by McKinsey in 2019, “69 percent of organizations indicate that implementing stringent security guidelines and code review processes can slow developers significantly.”

In reality, this problem has more to do with siloed workflows than it does with compliance requirements. If compliance checks are the last step in your development process, you’re setting yourself up for failure.

Policy as code helps address the underlying issue by ensuring that compliance requirements are incorporated into the initial design phases and enabling the integration of compliance checks into DevOps workflows. It’s a lot easier to design around a requirement than it is to re-architect a finished product — imagine building an entire house and then finding out that the foundation doesn’t meet building standards.

Running compliance scans in dev and test environments will turn up issues before the whole house is built and mitigate the risk of a show-stopping issue that delays deployment. With Puppet Comply, IT Operations teams can run their own scans instead of needing to rely on InfoSec. Plus, scan results are mapped to individual nodes along with clear instructions for fixing a violation, making remediation more efficient.

Eliminate configuration drift with model-driven automation

Defining policy as code goes a long way toward bringing order to the compliance chaos, but it doesn’t do much good unless you have a way to enforce policy — that is, to prevent configuration drift and keep systems in their compliant state.

A model-driven automation tool like Puppet makes this achievable at scale, allowing you to define the compliant configuration for any system in your infrastructure, enforce that configuration, and automatically remediate drift. The Puppet agent continuously checks configurations against the desired state that you’ve defined, and makes a corrective change if a discrepancy is detected.

Managing compliance with a model-driven, policy-based approach simplifies and scales enforcement of multiple regulations across diverse infrastructure. Say you operate a mixed fleet of Windows 2019 and RHEL 8 servers. Each operating system (and OS version) must conform to a unique set of regulatory controls, which quickly becomes difficult to manage.

With Puppet, you can create node groups based on the operating system and then apply the appropriate set of policy requirements to all machines in a group. When a regulation is updated, you edit only the underlying code, rather than making manual changes to each individual system.

Tying it all together

Defining policy as code streamlines compliance from end to end. It gives you the ability to:

• Build a template for newly provisioned infrastructure with compliance requirements built in.
• Assess compliance status throughout the software delivery lifecycle and easily remediate violations.
• Manage hundreds of requirements across complex, diverse infrastructure.
• Eliminate configuration drift and enforce compliance policy in an automated, scalable way.

When your next audit rolls around, you’ll be well equipped to demonstrate a consistent, reliable process for ensuring compliance across your estate, which instills a lot more confidence than an ad hoc, manual approach. Gone are the fire drills and unforeseen spikes in activity. And best of all, the hundreds of hours you once spent on soul-crushing, manual compliance activities can now be spent on things that add value for your customers and your business.

Simone Van Cleve is a Product Marketing Manager at Puppet.

Learn more

• Get guidance for developing an effective compliance strategy in our webinar with the Center for Internet Security.
• Learn how to increase agility and drive business value by automating compliance management.
• Guardian Life explains how they use Puppet to prove compliance and ease the burden of audit preparation.