Enforce compliance policy with model-driven automation
0 likes196 views
This document discusses model-driven automation for enforcing compliance. It begins with an overview of compliance benchmarks and the CIS benchmarks. It then discusses implementing benchmarks, common challenges around configuration drift and lack of visibility, and how to define compliance policy as code. The key points are that automation is essential for compliance at scale; a model-driven approach defines how a system should be configured and uses desired-state enforcement to keep systems compliant; and defining compliance policy as code, managing it with source control, and automating it with CI/CD helps achieve continuous compliance.
Enforce compliance policy with model-driven automation
- 1. Enforce Compliance Policy with Model-Driven Automation Alex Hin, Principal Product Manager
- 2. Agenda 1. What are compliance benchmarks? 2. Implementing a benchmark in your environment 3. Common Challenges in Compliance Programs 4. Enforcing Compliance with Model-Driven Automation 5. Closing Thoughts
- 4. What is compliance? The ability to document adherence to a set of rules governing system operation 4
- 5. The Center for Internet Security (CIS) is a community-driven nonprofit
- 6. 6 CIS Controls Prescriptive, Prioritized, and Simplified Set of Cybersecurity Best Practices • Implementation Group 1 – Every organization starts here – this is the definition of basic cyber hygiene • Implementation Group 2 – Moderate resources and expertise • Implementation Group 3 – Significant resources and expertise
- 7. 7 CIS Benchmarks Consensus-developed Secure Configuration Guidelines • 100+ CIS Benchmarks • Prescriptive guidance • Covering 25+ vendor product families – Operating Systems, Server Software, Cloud Providers, Network Devices, Desktop Software • Community developed – CIS members, subject matter experts, security community experts, and technology vendors
- 10. CIS Benchmark Recommendations Example: Microsoft Windows Server 2019 10
- 11. 11 Implementing the CIS Benchmarks • Manual implementation is time consuming • Automation is essential • Tools to succeed: – Assessment – Remediation/Enforcement
- 12. 12 Automation and Compliance • Automation and compliance go hand in hand • A model-driven approach allows for the upfront definition of how a system should be configured • Use CIS as your gold standard for compliance • Keep systems automatically and continually compliant by leveraging desired-state enforcement
- 13. Common challenges in compliance programs 13
- 14. 14 Configuration drift Lack of visibility Repetitive manual processes Common Challenges
- 15. 15 Enforce compliance with model-driven automation Assess early and often Define compliance policy as code Strong Compliance Programs
- 16. 16 © Copyright 2/17/21 Puppet Inc. | Manual Remediation Interpret Scan Report Monthly Scan Remediate at Scale Compliance Review Scan Staging QA Dev What does continuous compliance look like? Day 2 Day 1 Compliance check Scan conducted by compliance team & emailed to IT Ops. Drift Post-deployment process repeats each month Current process Day 2 Day 1 Scan conducted by IT DevOps Compliance checks happen at each pre-deployment stage. Shift Left! Automatic Enforcement TIME / RESOURCES
- 17. 17 1 Codify the policy 2 Manage with source control 3 Automate using CI/CD Define compliance policy as code
- 18. What is model-driven automation? The ability to automate adherence to a set of rules governing system operation and report on current state 18
- 19. 19 Automatically eliminate drift Manage compliance drift by relying on automation to take corrective actions Assess against the model Understand compliance status and identify issues Define the model Specify the model using code to create the desired configuration with model-driven automation Enforce compliance 1 3 2
- 20. 20 Closing Thoughts • The compliance landscape is changing quickly and becoming more challenging. • Infrastructure is increasingly complicated, especially with hybrid environments becoming the norm. • It would be unreasonable to expect success without shifting the way you operate. • There is no way to do this without automation, especially at the scale of most infrastructure. • Use Puppet to get you there!
- 21. Thanks!