Puppet, profile picture
Uploaded byPuppet
196 views

Enforce compliance policy with model-driven automation

This document discusses model-driven automation for enforcing compliance. It begins with an overview of compliance benchmarks and the CIS benchmarks. It then discusses implementing benchmarks, common challenges around configuration drift and lack of visibility, and how to define compliance policy as code. The key points are that automation is essential for compliance at scale; a model-driven approach defines how a system should be configured and uses desired-state enforcement to keep systems compliant; and defining compliance policy as code, managing it with source control, and automating it with CI/CD helps achieve continuous compliance.

Embed presentation

Download to read offline
Enforce Compliance Policy with Model-Driven Automation Alex Hin, Principal Product Manager
Agenda 1. What are compliance benchmarks? 2. Implementing a benchmark in your environment 3. Common Challenges in Compliance Programs 4. Enforcing Compliance with Model-Driven Automation 5. Closing Thoughts
What are compliance benchmarks?
What is compliance? The ability to document adherence to a set of rules governing system operation 4
The Center for Internet Security (CIS) is a community-driven nonprofit
6 CIS Controls Prescriptive, Prioritized, and Simplified Set of Cybersecurity Best Practices • Implementation Group 1 – Every organization starts here – this is the definition of basic cyber hygiene • Implementation Group 2 – Moderate resources and expertise • Implementation Group 3 – Significant resources and expertise
7 CIS Benchmarks Consensus-developed Secure Configuration Guidelines • 100+ CIS Benchmarks • Prescriptive guidance • Covering 25+ vendor product families – Operating Systems, Server Software, Cloud Providers, Network Devices, Desktop Software • Community developed – CIS members, subject matter experts, security community experts, and technology vendors
Foundations for Compliance 8
Implementing benchmarks in your environment
CIS Benchmark Recommendations Example: Microsoft Windows Server 2019 10
11 Implementing the CIS Benchmarks • Manual implementation is time consuming • Automation is essential • Tools to succeed: – Assessment – Remediation/Enforcement
12 Automation and Compliance • Automation and compliance go hand in hand • A model-driven approach allows for the upfront definition of how a system should be configured • Use CIS as your gold standard for compliance • Keep systems automatically and continually compliant by leveraging desired-state enforcement
Common challenges in compliance programs 13
14 Configuration drift Lack of visibility Repetitive manual processes Common Challenges
15 Enforce compliance with model-driven automation Assess early and often Define compliance policy as code Strong Compliance Programs
16 © Copyright 2/17/21 Puppet Inc. | Manual Remediation Interpret Scan Report Monthly Scan Remediate at Scale Compliance Review Scan Staging QA Dev What does continuous compliance look like? Day 2 Day 1 Compliance check Scan conducted by compliance team & emailed to IT Ops. Drift Post-deployment process repeats each month Current process Day 2 Day 1 Scan conducted by IT DevOps Compliance checks happen at each pre-deployment stage. Shift Left! Automatic Enforcement TIME / RESOURCES
17 1 Codify the policy 2 Manage with source control 3 Automate using CI/CD Define compliance policy as code
What is model-driven automation? The ability to automate adherence to a set of rules governing system operation and report on current state 18
19 Automatically eliminate drift Manage compliance drift by relying on automation to take corrective actions Assess against the model Understand compliance status and identify issues Define the model Specify the model using code to create the desired configuration with model-driven automation Enforce compliance 1 3 2
20 Closing Thoughts • The compliance landscape is changing quickly and becoming more challenging. • Infrastructure is increasingly complicated, especially with hybrid environments becoming the norm. • It would be unreasonable to expect success without shifting the way you operate. • There is no way to do this without automation, especially at the scale of most infrastructure. • Use Puppet to get you there!
Thanks!

More Related Content

PDF
Applying Roles and Profiles method to compliance code
byPuppet
 
PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
PPTX
Deep Visibility: Logging From Distributed Microservices
byAaronLieberman5
 
PPTX
Scania: A DevOps Journey in an Automotive Enterprise  
byPerforce
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PDF
Henrique Dantas - API fuzzing using Swagger
byDevSecCon
 
PPT
Microsoft Azure DevOps
bytdc-globalcode
 
PDF
Security as Code: DOES15
byEd Bellis
 
Applying Roles and Profiles method to compliance code
byPuppet
 
Embracing the Rise of SecDevOps
byTom Cappetta
 
Deep Visibility: Logging From Distributed Microservices
byAaronLieberman5
 
Scania: A DevOps Journey in an Automotive Enterprise  
byPerforce
 
SecDevOps: The New Black of IT
byCloudPassage
 
Henrique Dantas - API fuzzing using Swagger
byDevSecCon
 
Microsoft Azure DevOps
bytdc-globalcode
 
Security as Code: DOES15
byEd Bellis
 

What's hot

PPT
Microsoft Azure DevOps - The Developers Conference
byLucas Chies
 
PPTX
Continuous Delivery
byVishal Sahasrabuddhe
 
PPTX
Enabing DevOps in an SDN World
byCisco DevNet
 
PPTX
Infrastructure as Code (BBWorld/DevCon13)
byMike McGarr
 
PDF
Migrating .NET Apps to CF, A Strategy for Enterprises
byVMware Tanzu
 
PDF
A Secure DevOps Journey
bySonatype
 
PDF
The DevOps Playbook: How to Start, Scale, and Succeed
byPuppet
 
PDF
Infrastructure as Code Maturity Model v1
byGary Stafford
 
PDF
Kubernetes Administration Certification Cost-Register Now(7262008866)
byNovel Vista
 
PPTX
What's New in Puppet Enterprise 2015.3 (APAC)
byPuppet
 
PPTX
Microsoft DevOps
byVinícius Apolinário
 
PDF
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
byJadeCampbell13
 
PPTX
How Azure DevOps can boost your organization's productivity
byIvan Porta
 
PPTX
Introduction to Puppet Enterprise
byPuppet
 
PDF
Why Serverless?
byRidwan Fadjar
 
PPTX
DevOps in Azure : Puppetize the Cloud
byUtkarsh Pandey
 
PPTX
What's New in Puppet Enterprise 2015.3
byPuppet
 
PDF
RightScale Webinar: Continuous Integration and Delivery in the Cloud - How Ri...
byRightScale
 
PDF
Microsoft and DevOps - Presented by Atidan
byDavid J Rosenthal
 
PDF
Containers at Netflx - An Evolving Story QConSF2015
bySangeeta Narayanan
 
Microsoft Azure DevOps - The Developers Conference
byLucas Chies
 
Continuous Delivery
byVishal Sahasrabuddhe
 
Enabing DevOps in an SDN World
byCisco DevNet
 
Infrastructure as Code (BBWorld/DevCon13)
byMike McGarr
 
Migrating .NET Apps to CF, A Strategy for Enterprises
byVMware Tanzu
 
A Secure DevOps Journey
bySonatype
 
The DevOps Playbook: How to Start, Scale, and Succeed
byPuppet
 
Infrastructure as Code Maturity Model v1
byGary Stafford
 
Kubernetes Administration Certification Cost-Register Now(7262008866)
byNovel Vista
 
What's New in Puppet Enterprise 2015.3 (APAC)
byPuppet
 
Microsoft DevOps
byVinícius Apolinário
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
byJadeCampbell13
 
How Azure DevOps can boost your organization's productivity
byIvan Porta
 
Introduction to Puppet Enterprise
byPuppet
 
Why Serverless?
byRidwan Fadjar
 
DevOps in Azure : Puppetize the Cloud
byUtkarsh Pandey
 
What's New in Puppet Enterprise 2015.3
byPuppet
 
RightScale Webinar: Continuous Integration and Delivery in the Cloud - How Ri...
byRightScale
 
Microsoft and DevOps - Presented by Atidan
byDavid J Rosenthal
 
Containers at Netflx - An Evolving Story QConSF2015
bySangeeta Narayanan
 

Similar to Enforce compliance policy with model-driven automation

PDF
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
PPTX
Continuous Compliance and DevSecOps
byPuppet
 
PDF
Keynote: Puppet camp compliance
byPuppet
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
PPTX
A Guide to Cyber Security Compliance with detail
byBert Blevins
 
PDF
Compliance is Hard: Two Worlds at Odds - ChefConf 2015
byChef
 
PDF
DevOps and Regulatory Compliance—Like Oil and Water or Peanut Butter and Jelly?
byTechWell
 
PPTX
Building a Compliance System for your Business
bySarah Sajedi
 
PDF
Maintaining Continuous Compliance with HCL BigFix
byHCLSoftware
 
PPT
Nerc Standardization & Automation
byjamesholler
 
PPTX
Revealing the State of Network Configuration Management & Automation in the E...
byItential
 
PPTX
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PDF
Ensuring continuous compliance of security and regulatory policies
byHCLSoftware
 
PPTX
[Webinar] Modern Network Compliance: How to Get Proactive with Compliance Val...
byItential
 
PPTX
How to implement security compliance with SanerNow
bySecPod
 
PDF
Quick wins in the NetOps Journey by Vincent Boon, Opengear
byMyNOG
 
PDF
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
byCraig Saunders
 
PPTX
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
PPTX
Continuous Compliance Monitoring
byControlCase
 
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
Continuous Compliance and DevSecOps
byPuppet
 
Keynote: Puppet camp compliance
byPuppet
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
A Guide to Cyber Security Compliance with detail
byBert Blevins
 
Compliance is Hard: Two Worlds at Odds - ChefConf 2015
byChef
 
DevOps and Regulatory Compliance—Like Oil and Water or Peanut Butter and Jelly?
byTechWell
 
Building a Compliance System for your Business
bySarah Sajedi
 
Maintaining Continuous Compliance with HCL BigFix
byHCLSoftware
 
Nerc Standardization & Automation
byjamesholler
 
Revealing the State of Network Configuration Management & Automation in the E...
byItential
 
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
Ensuring continuous compliance of security and regulatory policies
byHCLSoftware
 
[Webinar] Modern Network Compliance: How to Get Proactive with Compliance Val...
byItential
 
How to implement security compliance with SanerNow
bySecPod
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
byMyNOG
 
Tackling Compliance When it Becomes Your Biggest Performance Bottleneck.pdf
byCraig Saunders
 
5 Steps to an Effective Vulnerability Management Program
byTripwire
 
Continuous Compliance Monitoring
byControlCase
 

More from Puppet

PPTX
Puppet Community Day: Planning the Future Together
byPuppet
 
PPTX
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
PPTX
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
PPTX
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
PPTX
Customizing Reporting with the Puppet Report Processor
byPuppet
 
PPTX
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
PPTX
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
PPTX
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
PDF
Puppet camp2021 testing modules and controlrepo
byPuppet
 
PPTX
Puppetcamp r10kyaml
byPuppet
 
PDF
2021 04-15 operational verification (with notes)
byPuppet
 
PPTX
Puppet camp vscode
byPuppet
 
PDF
Modules of the twenties
byPuppet
 
PPTX
KGI compliance as-code approach
byPuppet
 
PPTX
Automating it management with Puppet + ServiceNow
byPuppet
 
PPTX
Puppet: The best way to harden Windows
byPuppet
 
PPTX
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 
PPTX
Accelerating azure adoption with puppet
byPuppet
 
PDF
Puppet catalog Diff; Raphael Pinson
byPuppet
 
PPTX
ServiceNow and Puppet- better together, Kevin Reeuwijk
byPuppet
 
Puppet Community Day: Planning the Future Together
byPuppet
 
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
Customizing Reporting with the Puppet Report Processor
byPuppet
 
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
Puppet camp2021 testing modules and controlrepo
byPuppet
 
Puppetcamp r10kyaml
byPuppet
 
2021 04-15 operational verification (with notes)
byPuppet
 
Puppet camp vscode
byPuppet
 
Modules of the twenties
byPuppet
 
KGI compliance as-code approach
byPuppet
 
Automating it management with Puppet + ServiceNow
byPuppet
 
Puppet: The best way to harden Windows
byPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 
Accelerating azure adoption with puppet
byPuppet
 
Puppet catalog Diff; Raphael Pinson
byPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
byPuppet
 

Recently uploaded

PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PDF
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PDF
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Agentic AI presentation with Python Exercises
byParth Mane
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 

Enforce compliance policy with model-driven automation

  • 1.
  • 2.
    Agenda 1. What arecompliance benchmarks? 2. Implementing a benchmark in your environment 3. Common Challenges in Compliance Programs 4. Enforcing Compliance with Model-Driven Automation 5. Closing Thoughts
  • 3.
  • 4.
    What is compliance? Theability to document adherence to a set of rules governing system operation 4
  • 5.
    The Center for InternetSecurity (CIS) is a community-driven nonprofit
  • 6.
    6 CIS Controls Prescriptive, Prioritized,and Simplified Set of Cybersecurity Best Practices • Implementation Group 1 – Every organization starts here – this is the definition of basic cyber hygiene • Implementation Group 2 – Moderate resources and expertise • Implementation Group 3 – Significant resources and expertise
  • 7.
    7 CIS Benchmarks Consensus-developed SecureConfiguration Guidelines • 100+ CIS Benchmarks • Prescriptive guidance • Covering 25+ vendor product families – Operating Systems, Server Software, Cloud Providers, Network Devices, Desktop Software • Community developed – CIS members, subject matter experts, security community experts, and technology vendors
  • 8.
  • 9.
  • 10.
    CIS Benchmark Recommendations Example:Microsoft Windows Server 2019 10
  • 11.
    11 Implementing the CIS Benchmarks •Manual implementation is time consuming • Automation is essential • Tools to succeed: – Assessment – Remediation/Enforcement
  • 12.
    12 Automation and Compliance • Automationand compliance go hand in hand • A model-driven approach allows for the upfront definition of how a system should be configured • Use CIS as your gold standard for compliance • Keep systems automatically and continually compliant by leveraging desired-state enforcement
  • 13.
  • 14.
    14 Configuration drift Lack ofvisibility Repetitive manual processes Common Challenges
  • 15.
    15 Enforce compliance with model-driven automation Assessearly and often Define compliance policy as code Strong Compliance Programs
  • 16.
    16 © Copyright 2/17/21Puppet Inc. | Manual Remediation Interpret Scan Report Monthly Scan Remediate at Scale Compliance Review Scan Staging QA Dev What does continuous compliance look like? Day 2 Day 1 Compliance check Scan conducted by compliance team & emailed to IT Ops. Drift Post-deployment process repeats each month Current process Day 2 Day 1 Scan conducted by IT DevOps Compliance checks happen at each pre-deployment stage. Shift Left! Automatic Enforcement TIME / RESOURCES
  • 17.
    17 1 Codify thepolicy 2 Manage with source control 3 Automate using CI/CD Define compliance policy as code
  • 18.
    What is model-drivenautomation? The ability to automate adherence to a set of rules governing system operation and report on current state 18
  • 19.
    19 Automatically eliminate drift Manage compliancedrift by relying on automation to take corrective actions Assess against the model Understand compliance status and identify issues Define the model Specify the model using code to create the desired configuration with model-driven automation Enforce compliance 1 3 2
  • 20.
    20 Closing Thoughts • Thecompliance landscape is changing quickly and becoming more challenging. • Infrastructure is increasingly complicated, especially with hybrid environments becoming the norm. • It would be unreasonable to expect success without shifting the way you operate. • There is no way to do this without automation, especially at the scale of most infrastructure. • Use Puppet to get you there!
  • 21.