Puppet: Puppet and Government: Achieving Zero Trust adoption and mission success...

Achieving Zero Trust adoption and mission success at the same time

This blog is the first in a four-part series about how Puppet can help government agencies meet compliance and security requirements.

Government agencies have been working diligently to comply with the 2021 Executive Order on Improving the Nation’s Cybersecurity. The Executive Order (EO) addresses cybersecurity issues by imposing a new series of federal-wide Zero Trust mandates. Agencies were required to submit their plan development and cloud migration path reporting by July and August of 2021, with more deadlines on the horizon. Driving these compliance requirements further are DISA and NIST standards that agencies are also expected to follow.

While government agencies must ensure compliance with the Federal Zero Trust mandates, they must still keep their mission goals on track. How can agencies find and use the right resources to achieve a Zero Trust model without negatively impacting their workforce and budgets?

Network data collection, access, and management for Zero Trust

The Executive Order includes actions that government agencies must take to achieve a Zero Trust model. Agencies are required to:

• Collect, preserve, and share information as it relates to a potential or actual incident
• Adopt a system that only provides the bare minimum access that employees need to perform their jobs
• Identify existing or develop new security standards, tools, and best practices
• Improve detection of cybersecurity vulnerabilities and incidents

Puppet has designed enterprise-grade infrastructure and remediation solutions that can help government agencies address these and other cybersecurity requirements, such as FIPS 140-2.

Collect, preserve, and share information: IT and business managers can easily tap into and automate rich compliance audit reports with Puppet Enterprise. Powerful Puppet report processors can collect and handle a wide variety of data points across the agency environment:

• Metadata about the system and its operating environment
• The status of every resource the system is connected to
• Actions, also called events, taken during the run
• Log messages generated during the run
• Metrics about the run, such as its duration and how many resources were in a given state

Finally, agencies are now required to comply with standard practices on how much incident data must be recorded to network logs and how it can be retained and accessed. The Puppet and Splunk integration make this easy by giving agencies deeper insights with data intake and analysis.

The data in Puppet reports can be accessed in a variety of ways:

• Natively, on the Puppet Enterprise Reports Page
• In PuppetDB, through third-party tools like Puppetboard via the PuppetDB API
• In your agency’s tools or within external processors, through the Puppet Enterprise API

Together, the Puppet and Splunk integration can efficiently analyze and visualize data to make intelligent operational and security decisions.

Limiting system access and using security tools: Puppet Enterprise uses role-based access control (RBAC) to grant individual users the permission to perform specific actions, such as:

• The permission to grant password reset tokens to other users who have forgotten their passwords
• The permission to edit a local user’s metadata
• The permission to deploy Puppet code to specific environments
• The permission to edit class parameters in a node group

Agencies can perform user control tasks in the console or use the Puppet Enterprise RBAC API, which allows agencies to effectively manage user access, roles, tokens, passwords, and LDAP connections.

The Puppet Enterprise RBAC API helps agencies to be more productive, agile, and collaborative while they manage their overall IT infrastructure. With Tasks in Puppet Enterprise, agencies can execute ad hoc actions on a target device to troubleshoot or deploy changes to systems in their infrastructure. Puppet Enterprise Plans allow agencies to combine tasks, scripts, commands, and other plans into complex workflows in order to run complex operations.

Improve detection vulnerabilities and standardize practices: Puppet Enterprise can be employed to discover, filter, prioritize, and remediate vulnerabilities at scale.

As a part of the EO, government agencies need to follow secure cloud adoption practices and guidelines. Puppet Enterprise makes it easier, integrating cloud platforms, operating systems, and networks to address Zero Trust needs across the entire agency environment. Puppet Enterprise is also based on open source technology that can be scaled across hybrid environments for complete infrastructure coverage.

Since the order’s mandates are driven by DISA and NIST standards, government agencies must also stay up to date on these requirements. Puppet automates system configuration to comply with DISA STIGs and NIST 800-53 every 30 minutes.

Automation that keeps the focus on the mission

Driving towards a Zero Trust security model can deplete government resources normally used to help keep mission-centric work on track. While improving Zero Trust compliance, the automation solutions from Puppet Enterprise can also help agencies conserve resources and preserve schedules—ensuring projects, programs, and missions stay the course.

The automation functionality of Puppet Enterprise can help with compliance and:

• Reduce manpower costs associated with compliance audits
• Reduce transformation program costs by automating deployment and management
• Ensure configuration changes don’t wreak havoc on mission-critical systems
• Provide proactive tools to prioritize, remediate, manage, and discover infrastructure security vulnerabilities

With the Zero Trust model, government agency teams can spend more of their strategic energy on the mission and less on making sure that their network and systems remain compliant.

Achieving Zero Trust in a zero footprint way

Puppet can help government agencies address security and compliance requirements and more effectively meet the EO. Puppet Enterprise provides rich, flexible, and diverse data collection capabilities with powerful automation capabilities to streamline workflows and discover and remediate cybersecurity vulnerabilities at scale. It enables agencies to achieve Zero Trust postures while keeping their missions on track.

There are three specific solutions from Puppet that can help federal agencies meet the Zero Trust mandates. We will explore each of these tools and environments in our upcoming blogs.

Next time, we’ll talk about DevSecOps and how incorporating security processes in the development environment and operations systems is critical in complying with Zero Trust. But the most effective way to stay in compliance involves shifting these critical procedures and using automation.

Future blogs will address infrastructure as code. Treating your infrastructure as if it were code has allowed government agencies to adopt critical practices that software developers have been using for years. Now, it is an important tool to achieve a Zero Trust model.

And lastly, we’ll cover hybrid cloud environments. Moving to the cloud provides many benefits for agencies but can still create infrastructure bottlenecks.

Puppet has been accelerating the journey for federal agencies in hybrid environments. Now, it’s a critical step in complying with the Cybersecurity Executive Order.

Melissa Palmer is the Area VP of Public Sector at Puppet.

Learn more

• Watch how a U.S. government agency uses Puppet to meet strict IT security standards.
• Learn more about navigating the "new normal" with self-healing infrastructure automation for government agencies.
• Read the solution brief on Assured Security Compliance for Federal Agencies.
• Learn the true value of continuous compliance.