SlideShare a Scribd company logo

KGI compliance as-code approach

Download as PPTX, PDF
Puppet, profile picture
Puppet

This document discusses Kinney Group's Puppet compliance framework for automating STIG compliance and reporting. It notes that customers often implement compliance Puppet code poorly or lack appropriate Puppet knowledge. The framework aims to standardize compliance modules that are data-driven and customizable. It addresses challenges like conflicting modules and keeping compliance current after implementation. The framework generates automated STIG checklists and plans future integration with Puppet Enterprise and Splunk for continued compliance reporting. Kinney Group cites practical experience implementing the framework for various military and government customers.

Technology
1 of 7
Download to read offline
1
2
3
4
5
6
7
© Kinney Group, Inc. 2021 © Kinney Group, Inc. 2021 Automating STIG Compliance and Reporting 1 March 2021
© Kinney Group, Inc. 2021 • KGI has been developing automation solutions for Federal customers for many years where STIG compliant systems are mandated • There is not a consistent framework for implementing compliance-based Puppet code • Most customers implement it poorly or are not equipped with the appropriate knowledge on Puppet best practices • Ongoing maintenance of compliance code is time consuming for most customers • Having a 3rd party develop and maintain compliance remediation content reduces risk for when Puppet expertise moves on 2 Identifying a need for a Puppet compliance-as-code standard Why this Framework was Developed
© Kinney Group, Inc. 2021 • Puppet modules must be well documented • Centralize code in purpose-built modules that can be quickly implemented • Enforcement can be toggled on/off at the vulnerability level • Leverage PuppetDB to store supporting compliance data • Compliance modules must be data driven to allow customizable behavior • Should not preclude the management of non-compliance system components 3 Standardization of Compliance Based Puppet Code Lessons that shaped the KGI Framework
© Kinney Group, Inc. 2021 • One module to manage all STIG vulnerabilities can conflict with existing Puppet modules • Customers don’t want to pay for development of remediation content, they want to pay us to integrate and implement • Integrating STIG modules efficiently requires some knowledge and expertise • Customers struggle to keep compliance modules current after we leave (and resort back to manual bad habits) 4 Challenges we’ve encountered over the years Typical Challenges
© Kinney Group, Inc. 2021 • Automated STIG Checklist Generator using PuppetDB • Future: Plans and Tasks for PE integration • Future: Splunk Compliance App using PuppetDB 5 Additional Benefits/Capabilities
© Kinney Group, Inc. 2021 • U.S. Army – INSCOM • US Air Force – AFRL and STRATCOM • US Marine Corps – Technical Services Organization • Indiana Army National Guard – Indiana Intelligence Center • State of Indiana – Indiana Office of Technology 6 Practical Implementation Experience
© Kinney Group, Inc. 2021 © Kinney Group, Inc. 2021 7

More Related Content

PDF
Keynote: Puppet camp compliance
Puppet
 
PDF
Shift Left Security - The What, Why and How
DevOps.com
 
PDF
Monitoring at the Speed of DevOps
DevOps.com
 
PPTX
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
PDF
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PPTX
Chefdevseccon2015
sc0ttruss
 
PDF
Container Security: What Enterprises Need to Know
DevOps.com
 
Keynote: Puppet camp compliance
Puppet
 
Shift Left Security - The What, Why and How
DevOps.com
 
Monitoring at the Speed of DevOps
DevOps.com
 
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Chefdevseccon2015
sc0ttruss
 
Container Security: What Enterprises Need to Know
DevOps.com
 

What's hot (20)

PPTX
DevOps
Jeremiah Tillman
 
PPTX
2019 02-20 micro-segmentation based network security strategies (yoni geva)
AlgoSec
 
PPTX
SRE 101 (Site Reliability Engineering)
Hussain Mansoor
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
PPTX
From Chaos to Compliance: The New Digital Governance for DevOps
XebiaLabs
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
PDF
Innovation in Action - #MFSummit2017
Micro Focus
 
PDF
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
PPTX
Operationalize all the network things
Lori MacVittie
 
PDF
DevOps Challenges and Version Control
Perforce
 
PDF
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
PPTX
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
PPTX
Is Your DevOps Ready for the Cloud?
XebiaLabs
 
PDF
Test What Matters Most
Remedy IT
 
PPTX
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Jules Pierre-Louis
 
PDF
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
Automating API Generation and DevOps Pipeline for On-Prem Systems
DevOps.com
 
PPTX
Webinar: A Roadmap for DevOps Success
Jules Pierre-Louis
 
PDF
Cisco aci and AlgoSec webinar
Maytal Levi
 
DevOps
Jeremiah Tillman
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
AlgoSec
 
SRE 101 (Site Reliability Engineering)
Hussain Mansoor
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
From Chaos to Compliance: The New Digital Governance for DevOps
XebiaLabs
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Innovation in Action - #MFSummit2017
Micro Focus
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Stefan Streichsbier
 
Operationalize all the network things
Lori MacVittie
 
DevOps Challenges and Version Control
Perforce
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Is Your DevOps Ready for the Cloud?
XebiaLabs
 
Test What Matters Most
Remedy IT
 
Microservice Monitoring and Quality Management for Modern Apps and Infrastruc...
Jules Pierre-Louis
 
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
The Challenges of Scaling DevSecOps
WhiteSource
 
Automating API Generation and DevOps Pipeline for On-Prem Systems
DevOps.com
 
Webinar: A Roadmap for DevOps Success
Jules Pierre-Louis
 
Cisco aci and AlgoSec webinar
Maytal Levi
 
Ad

More from Puppet (20)

PPTX
Puppet Community Day: Planning the Future Together
Puppet
 
PPTX
The Evolution of Puppet: Key Changes and Modernization Tips
Puppet
 
PPTX
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
Puppet
 
PPTX
Bolt Dynamic Inventory: Making Puppet Easier
Puppet
 
PPTX
Customizing Reporting with the Puppet Report Processor
Puppet
 
PPTX
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
Puppet
 
PPTX
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
Puppet
 
PPTX
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
Puppet
 
PDF
Puppet camp2021 testing modules and controlrepo
Puppet
 
PPTX
Puppetcamp r10kyaml
Puppet
 
PDF
2021 04-15 operational verification (with notes)
Puppet
 
PPTX
Puppet camp vscode
Puppet
 
PDF
Modules of the twenties
Puppet
 
PDF
Applying Roles and Profiles method to compliance code
Puppet
 
PDF
Enforce compliance policy with model-driven automation
Puppet
 
PPTX
Automating it management with Puppet + ServiceNow
Puppet
 
PPTX
Puppet: The best way to harden Windows
Puppet
 
PPTX
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 
PPTX
Accelerating azure adoption with puppet
Puppet
 
PDF
Puppet catalog Diff; Raphael Pinson
Puppet
 
Puppet Community Day: Planning the Future Together
Puppet
 
The Evolution of Puppet: Key Changes and Modernization Tips
Puppet
 
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
Puppet
 
Bolt Dynamic Inventory: Making Puppet Easier
Puppet
 
Customizing Reporting with the Puppet Report Processor
Puppet
 
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
Puppet
 
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
Puppet
 
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
Puppet
 
Puppet camp2021 testing modules and controlrepo
Puppet
 
Puppetcamp r10kyaml
Puppet
 
2021 04-15 operational verification (with notes)
Puppet
 
Puppet camp vscode
Puppet
 
Modules of the twenties
Puppet
 
Applying Roles and Profiles method to compliance code
Puppet
 
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Puppet
 
Puppet: The best way to harden Windows
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 
Accelerating azure adoption with puppet
Puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet
 
Ad

Recently uploaded (20)

PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
The Future of Artificial Intelligence (AI)
Mukul
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Software Development Methodologies in 2025
KodekX
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 

KGI compliance as-code approach

  • 1. © Kinney Group, Inc. 2021 © Kinney Group, Inc. 2021 Automating STIG Compliance and Reporting 1 March 2021
  • 2. © Kinney Group, Inc. 2021 • KGI has been developing automation solutions for Federal customers for many years where STIG compliant systems are mandated • There is not a consistent framework for implementing compliance-based Puppet code • Most customers implement it poorly or are not equipped with the appropriate knowledge on Puppet best practices • Ongoing maintenance of compliance code is time consuming for most customers • Having a 3rd party develop and maintain compliance remediation content reduces risk for when Puppet expertise moves on 2 Identifying a need for a Puppet compliance-as-code standard Why this Framework was Developed
  • 3. © Kinney Group, Inc. 2021 • Puppet modules must be well documented • Centralize code in purpose-built modules that can be quickly implemented • Enforcement can be toggled on/off at the vulnerability level • Leverage PuppetDB to store supporting compliance data • Compliance modules must be data driven to allow customizable behavior • Should not preclude the management of non-compliance system components 3 Standardization of Compliance Based Puppet Code Lessons that shaped the KGI Framework
  • 4. © Kinney Group, Inc. 2021 • One module to manage all STIG vulnerabilities can conflict with existing Puppet modules • Customers don’t want to pay for development of remediation content, they want to pay us to integrate and implement • Integrating STIG modules efficiently requires some knowledge and expertise • Customers struggle to keep compliance modules current after we leave (and resort back to manual bad habits) 4 Challenges we’ve encountered over the years Typical Challenges
  • 5. © Kinney Group, Inc. 2021 • Automated STIG Checklist Generator using PuppetDB • Future: Plans and Tasks for PE integration • Future: Splunk Compliance App using PuppetDB 5 Additional Benefits/Capabilities
  • 6. © Kinney Group, Inc. 2021 • U.S. Army – INSCOM • US Air Force – AFRL and STRATCOM • US Marine Corps – Technical Services Organization • Indiana Army National Guard – Indiana Intelligence Center • State of Indiana – Indiana Office of Technology 6 Practical Implementation Experience
  • 7. © Kinney Group, Inc. 2021 © Kinney Group, Inc. 2021 7