Partner News

Puppet’s journey into Continuous Compliance


During my tenure at Puppet, I’ve learned that almost everything we do is focused on two things. This is eliminating soul-crushing work, and the never-ending desire to solve really hard customer problems. Couple those with the positive and energetic attitude of the Puppet team, and we’re bound to have a profound impact on our customers. But I really believe we’re onto something here… Puppet’s journey into Continuous Compliance, our newest solution, carries on this theme.

Puppet on the rescue!

Customers have used Puppet for compliance long before Puppet Comply Even prior to the CIS Compliance service launched earlier this year. That’s because Puppet Enterprise allows our customers to take a model-driven approach to configuration management. With PE, customers can define how a system is supposed to look, so that when it gets deployed, it’s automatically configured to the desired state. If the defined configuration changes, Puppet reverts the system back to desired state, eliminating the problem of configuration drift. That’s awesome.

Naturally, this approach to configuration lends itself very well to compliance. I can define how a compliant system looks based on regulatory frameworks and internal security policy, and have PE enforce it. This keeps me automatically and continuously compliant. While Puppet Enterprise is great at enforcing compliance with a defined policy, it doesn’t help you understand HOW compliant you are. There are still some missing puzzle pieces: What’s my overall level of compliance? Which systems are out of compliance, and what do I need to remediate? That might be okay for some, but it’s not okay for most.

Our customers have asked us to provide visibility into their compliance status because defining the model isn’t enough anymore. Companies have entire programs, teams, and resources dedicated to managing compliance programs, and all of the processes and activities within them. They need to have solid programs, and they need to be able to provide proof of compliance. I once heard a customer refer to this as the burden of proof. It’s serious stuff.

Read more on the Puppet blog.

Find out what Puppet training is available @ Open-Future.