API Management / Security

Puppet Comply Automates Security Policy

27 Oct 2020 10:37am, by

Puppet has launched Puppet Comply, a new product that assesses, remediates, and enforces compliance policies at scale alongside services that helps to find compliance issues and builds content to fix them. The launch follows in step with other launches from the company over the past year, which have focused more on further automation and remediation, and Puppet Chief Technology Officer Abby Kearns sees it as a continuation of that.

“What I hear often is that [compliance is] expensive, it’s thought to be a hindrance to progress or innovation, and it’s just a big burden. At the end of the day, if you’re non-compliant, you start taking hits to your momentum, your progress, or even your brand as a company,” said Kearns. “How do we start to really help our customers achieve that compliance with the same level of comfort and support they’ve had where we help them manage their infrastructure and manage their drift? Compliance was a natural progression for us to continue that automation journey with our customers.”

Kearns also noted that many of Puppet’s customers are in transition, moving workloads to the cloud and dealing with an increasingly complex landscape. The first step, then, is for Puppet to focus on the basics, which will consist of the Center for Internet Security (CIS) benchmarks at launch. This, however, is just a starting point, said Puppet product manager Alex Hin.

“When we look at the problem that we’re trying to solve, it starts with the controls themselves that need to be in place on a node, a server, a workstation. When we look at things like FedRAMP and NIST, they all map back to controls as much as they can to a specific way of storing or configuring those servers, so we’re starting with a broad view of compliance in terms of secure configuration. As we grow our product, we will be looking to help our customers achieve those other compliance initiatives like FedRAMP, Sox, HIPAA and all those other ones,” said Hin.

Puppet Enterprise allows its users to define a desired state configuration, which it automatically puts in place and reinforces. If someone goes onto a server and makes a change that is out of sync with that desired state, Puppet will revert it, enforcing the desired state. Puppet Comply takes this basic tenet and extends it to compliance, which Hin points out gives Puppet customers “the ability to do an assessment against a benchmark, so no longer is it about just forcing a specific state.” At the same time, Puppet Comply goes beyond other compliance solutions, by moving past simply offering a report, which would then need to be enacted, manually, by an operations team.

“Traditionally, when we talk about automated compliance assessments, things like CIS and DISA are done by a scanning technology that typically belongs to a security team. A lot of vendors in this space have traditionally focused on just the assessment and the visibility piece, very few would even offer the idea of remediations as part of their software or part of their services, let alone enforcement,” said Hin. “Without Puppet, there really is no way for someone to perform these types of actions at scale. We do it once and we apply it at scale to all of those nodes so we really reduce the amount of effort and time it takes to roll out changes, then make sure that those changes don’t get reverted or accidentally changed to something else.”

While Puppet Comply helps with remediation and enforcement, helping to get rid of the human error factor when trying to assure compliance at scale, meeting regulations can remain tricky, and so the final part of Puppet’s launch is the accompanying professional services. Hin said that they want to help customers succeed, “rather than just giving them a product and then having them go figure it out.”

Looking forward, Hin expects Comply to add those aforementioned benchmarks, such as FedRamp, DISA, NIST, Sox, and HIPAA, among others.

“We’re looking to not only continue to build out our capabilities as a product but also at things like expanding the breadth of our benchmarks,” said Hin. “We’re starting with CIS, but we’re looking to expand into other areas and other benchmark providers or regulatory bodies that have benchmarks.”

A newsletter digest of the week’s most important stories & analyses.