How the Puppet DevOps Tool Is Used to Improve Security, Compliance

The open-source Puppet configuration management tool is widely used by organizations to enable DevOps processes and workflows. Puppet also plays a  strong in enabling security and compliance as well, according to Deepak Giridharagopal, CTO and Chief Architect of Puppet.

"If you have inputs to a system, you need to manage them over time," Giridharagopal said.

In a video interview with eWEEK, Giridharagopal explained that the fundamental idea behind Puppet is to enable users to check on the state of an entity to see if it matches with how it should look. If the state of the entity doesn't match the expected state, Puppet can be used to adjust the state to match the expected outcome. Tracking and managing configuration over time has benefits both for compliance and security, providing organizations with ability to monitor and repair systems, networks and applications.

The security of Puppet itself has also been validated in multiple ways over time and proven by customers in both the public and private sector over the past decade. Giridharagopal said that Puppet adheres to the principle of least privilege, ensuring a reduced attack surface and minimizing security risks.

Giridharagopal said that Puppet is being used today by organizations to help manage and ensure compliance with different regulatory requirements. He said that what tends to happen is that users will take  requirements and 'puppetize' the specific controls, writing puppet code that defines the required elements. Puppet then replaces the need for a separate scanner, as the Puppet system continuously monitors an environment to make sure that components remains properly configured.

Watch the full video interview with Deepak Giridharagopal, CTO and Chief Architect of Puppet above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.