Puppet Inc. today introduced Puppet Comply, a software product that enterprises can use to ensure their cloud and on-premises infrastructure adheres to cybersecurity requirements.

Portland-based Puppet is the maker of one of the market’s most widely used tools for automating infrastructure management. Several of the company’s main rivals including Ansible Inc., Chef Inc. and, most recently, SaltStack Inc. have been acquired by major industry players over the last few years. Today’s launch will give Puppet’s product portfolio a boost as it works to stand out amid the intensified competition.

Puppet Comply can scan a company’s infrastructure to determine if it meets the industry-standard CIS security standards. The standards, developed by the nonprofit Center for Internet Security, are widely used in the enterprise and also underpin multiple data regulations including HIPAA. Puppet is positioning Puppet Comply as a simpler alternative to the manual audits companies have historically used to check their compliance with CIS best practices.

One of the main issues with manual audits is that they’re usually only performed occasionally, which means that if a security issue emerges between two assessments, it may be left unfixed for a while. Puppet Comply automates the process and checks for CIS compliance continuously rather than at specific intervals, which Puppet says makes it possible to catch potential risks faster. It also frees up time for information technology teams in the process. 

Puppet Comply visualizes compliance information in a dashboard that shows which infrastructure components meet security requirements, which don’t and what issues need to be fixed. It also provides high-level statistics describing how well best-practice adherence is enforced overall in a company’s environment.

The product doubles as a kind of deployment automation tool. In addition to finding security issues, IT professionals can use Puppet Comply to ensure that when they provision new infrastructure assets such as virtual machines, those systems are spun up with strong default security settings. 

“The work required to ensure infrastructure compliance in order to pass audits is painstaking and time-consuming, particularly in organizations with large and complex infrastructure,” said Alex Hin, a principal product manager at Puppet. “Puppet Comply ensures ITOps teams have the tools and resources they need to proactively manage compliance without disrupting, or duplicating, the security team’s workflow.”

Multiple organizations are already using Puppet Comply. The company says that one customer, an unnamed “large bank,” managed to improve its compliance score from 50% to 92%. 

Puppet Comply is designed to be used together with Puppet Enterprise, the company’s flagship offering, which enables IT teams to automate infrastructure management by creating scripts that take care of configuration tasks.

Image: Puppet