DevOps Practice

Puppet Adds CIS Benchmark Compliance Service

Puppet this week announced it has added a service that makes it easier to achieve compliance with benchmarks defined by the Center for Internet Security (CIS).

Yasmin Rajabi, global services strategy manager at Puppet, said the CIS Service offering from Puppet extends the ability to manage infrastructure as code into the realm of compliance. Via the service, analysts hired by Puppet will now scan infrastructure on behalf of customers and then generate a report identifying which machines do not meet CIS benchmarks.

The service also provides a list of the controls that pass or fail per node as well as scores intended to help IT teams triage issues, said Rajabi. If any drift from a previous level of compliance is detected, IT teams can then use Puppet tools to return those machines to a previous state, she noted.

The goal is to make available a service that automates what would otherwise be a time-consuming monotonous task internal IT teams normally would have to do themselves using scripts they would have to develop, she added.

Rajabi said Puppet decided to focus on CIS benchmarks because they are often considered foundational for any number of compliance mandates. Achieving CIS benchmark compliance is about 60% to 70% of the work that might be required to achieve mandates that are required in various vertical industry segments.

As IT environments become more complex many IT teams don’t have the time to manually assess their compliance with multiple mandates. However, because of audits many IT organizations wind up devoting a significant amount of time to compliance assessments. The CIS Service from Puppet offloads that tasks from IT departments in a way that produces reports that can be shared easily with an auditor, said Rajabi.

It’s not clear to what degree compliance is about to shift left along with cybersecurity. What is certain is in the wake of the COVID-19 pandemic IT teams will be looking to automate every process imaginable simply because there may be no other way to accomplish a task. Many IT organizations have already either frozen headcount or been forced to reduce the size of their existing IT staff. A service that outsources a compliance process to specialists that are better equipped to handle that task might be a timely alternative.

Whatever the motivation, most IT teams have no trouble finding ways to contribute to their organization that add a lot more value than achieving compliance. In fact, because most IT teams tend to give the compliance process short shrift because of other pressing demands on their time it’s likely mistakes will be made. Specialists who spend all their time on compliance assessments are likely to do a much better job in a fraction of the time. The challenge is making sure the IT staff doesn’t view that service as an existential threat to its existence. Of course, if they do, chances are high that the IT team in question has much bigger issues to address than simply making sure the right compliance report is being generated at the right time.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

Building an Open Source Observability Platform

By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…

4 hours ago

To Devin or Not to Devin?

Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…

5 hours ago

Survey Surfaces Substantial Platform Engineering Gains

While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.

20 hours ago

EP 43: DevOps Building Blocks Part 6 – Day 2 DevOps, Operations and SRE

Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…

22 hours ago

Survey Surfaces Lack of Significant Observability Progress

A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…

22 hours ago

EP 42: DevOps Building Blocks Part 5: Flow, Bottlenecks and Continuous Improvement

In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…

22 hours ago