2. Agenda
1. What are compliance benchmarks?
2. Implementing a benchmark in your environment
3. Common Challenges in Compliance Programs
4. Enforcing Compliance with Model-Driven Automation
5. Closing Thoughts
6. 6
CIS Controls
Prescriptive, Prioritized, and Simplified Set of
Cybersecurity Best Practices
• Implementation Group 1
– Every organization starts here – this is the
definition of basic cyber hygiene
• Implementation Group 2
– Moderate resources and expertise
• Implementation Group 3
– Significant resources and expertise
7. 7
CIS Benchmarks
Consensus-developed Secure Configuration
Guidelines
• 100+ CIS Benchmarks
• Prescriptive guidance
• Covering 25+ vendor product families
– Operating Systems, Server Software, Cloud
Providers, Network Devices, Desktop Software
• Community developed
– CIS members, subject matter experts, security
community experts, and technology vendors
11. 11
Implementing the CIS
Benchmarks
• Manual implementation is time consuming
• Automation is essential
• Tools to succeed:
– Assessment
– Remediation/Enforcement
12. 12
Automation and
Compliance
• Automation and compliance go hand in hand
• A model-driven approach allows for the upfront
definition of how a system should be configured
• Use CIS as your gold standard for compliance
• Keep systems automatically and continually compliant
by leveraging desired-state enforcement
17. 17
1 Codify the policy
2 Manage with source control
3 Automate using CI/CD
Define compliance policy as code
18. What is model-driven automation?
The ability to automate adherence to a set of
rules governing system operation and report
on current state
18
19. 19
Automatically
eliminate drift
Manage compliance drift
by relying on automation
to take corrective actions
Assess against the
model
Understand compliance
status and identify issues
Define the model
Specify the model using
code to create the desired
configuration
with model-driven automation
Enforce compliance
1
3 2
20. 20
Closing Thoughts
• The compliance landscape is changing quickly and
becoming more challenging.
• Infrastructure is increasingly complicated, especially
with hybrid environments becoming the norm.
• It would be unreasonable to expect success without
shifting the way you operate.
• There is no way to do this without automation,
especially at the scale of most infrastructure.
• Use Puppet to get you there!