Config management is a perfect fit for compliance: you model desired compliant state, continually enforce it and have a full audit path of when changes occur and what lead to the drift. But what are the best practises for using config management for compliance, what are the caveats, how do you scan for issues and how can you keep the auditors happy?
If you work with or at a Telco, Financial Institution or a Government entity, you probably already know about compliance and the various acronyms and headaches it can bring.
How can we make this less of a painful process?
Well, if you think about it: compliance is a set of rules that someone has given you to enforce and prove that they're being enforced. What is configuration management? A series of rules for systems that need to be enforced.
So compliance is the perfect use-case for configuration management.
We'll be discussing how you can enforce compliance in your estate with config management, what open-source tooling you to perform scans across your estate and how to save time by leveraging existing work such as http://dev-sec.io.
We'll also be talking about how to sell the benefits of config management for compliance to stakeholders and some real-life examples of how it's worked with customers in the past, and the caveats that come with it.