Chef Blogs

Why Configuration Management is Important to Being Compliant and Secure

Shua Matin Smitha Ravindran | Posted on | Chef Compliance | Chef Infrastructure Management

Enterprise IT infrastructure in its present state is a complex maze of disparate devices, various operating systems, containers, and virtual machines, located on on-prem, hybrid or multiple-cloud environments—a chaotic but thriving and growing ecosystem. 

As the ecosystem expands, the scope for infrastructure misconfigurations to creep in grows parallelly, specifically when configurations are managed in an archaic and manual way. 

According to Statista, 15 million data breaches were registered globally in the third quarter of 2022. According to the VERIS, around 35% of the observed incidents were caused by error, misuse, or misconfiguration. 

In fact, in 2021, The Open Web Application Security Project (OWASP) updated its famed list of Top 10 vulnerabilities, with security misconfiguration sitting notoriously at the 5th position. 

Undetected misconfigurations leave the door wide open to security risks. Additionally, they leave organizations prone to compliance risks which, in the long run, can invite legal hassles, cause loss of revenue and, most importantly, loss of trust. 

How do you end up with misconfigurations? 

Not surprisingly, organizations are taking active measures to be compliant. However, manual processes can hamper effective configuration. Changes to the environment, new devices being added to the ecosystem, or even manual changes to the system can cause undetected configuration drifts. These eventually have the potential to end up as compliance or security loopholes.  

While delivering solutions faster is paramount to business, there is always the danger of undetected misconfigurations exposing compliance and security vulnerabilities to nefarious actors.


80% of ransomware attacks can be attributed to configuration errors in software and devices. - Microsoft  


Speed Vs. Security 

With customer expectations being dynamic and immediate, enterprises are compelled to respond to the market quickly. While faster responses to the market are critical, security and compliance checks must be embedded within the development life cycle early on. 

Security teams are under intense pressure to complete security audits faster after a long and tedious development cycle increasing the risk of configuration drifts and compliance risks. In the attempt to narrow the time-to-market, compliance and security might end as an afterthought that will further decelerate the journey toward the market.  

Traditional security reviews are inhibited by various factors such as: 

  • Extensive manual intervention 
  • High dependency on scanning tools that create a chaotic picture sourced from relevant data but highly unreliable false positives
  • Expose security risks that are not economically viable to fix so late in the cycle
  • Limited consolidated visibility into the entire security posture
  • Lack of collaboration

A recent Progress study on the state of DevSecOps found that security threats were the number one technology factor driving the evolution of DevOps (57%), and only 51% of those surveyed were familiar with how security fits into DevSecOps.


The Close Coupling of Configuration and Compliance 

Configuration management is a governance mechanism that tracks and controls IT assets and services across an enterprise. Effective configuration management involves: 

  • maintaining an inventory of assets 
  • monitoring and mitigating configuration drifts
  • ensuring that all devices are configured in alignment with the compliance standards 
  • and creating timely audit reports.  
When done well, organizations benefit by fortifying themselves against compliance issues and security vulnerabilities. However, scaling this manual configuration process to cater to complex environments is challenging. 

Moreover, different industries have different compliance requirements ranging from NIST, ISO, SLSA levels, GDPR, SOX, SOC2, PCI DSS, and HIPAA to HITECH. Depending on their industry, organizations must choose a comprehensive compliance strategy that can be embedded in their DevOps/DevSecOps process. 

With configuration and compliance being so closely intertwined, organizations increasingly turn to consolidated platforms that can automate the complex configuration and compliance management process, paving the way for accelerated development. 

One such automation technique that uses a common language between compliance, security and DevOps teams is ‘Policy as Code.’ 

Policy as Code – Automation with Code 

Policies are constraints and restrictions created to prevent unauthorized access to resources such as databases, storage, and services. ‘Policy as Code’ is an automation technique that defines and manages security rules, criteria, and conditions through code.  

Human-readable policies in the form of code encourage teams to work together by adopting a common language. The ‘as-code’ approach allows configuration, auditing, and remediation automation in the DevSecOps pipeline in a flexible and easy manner. 

In fact, the Infrastructure as Code methodology used for configuration management can be suitably extended to codify compliance, development, security and application policies, making automation faster and shifting compliance & security left in the delivery pipeline. 


Gartner corroborates this method in a report, “70% of enterprises in regulated verticals would have integrated compliance as code into their DevOps toolchains, reducing risk and improving lead time by at least 15%.” 

What should a configuration and compliance automation platform entail? 

An automation platform that uses code to define policies can enforce compliance and foresee security issues in the DevSecOps workflow. Such platforms should allow users to build and test in the cloud or on-prem.  

It should allow for policies and content catering to any ecosystem, environment, or combination of environments.  

It should enable disparate teams to collaborate with a common language, such as human readable code and act as an accelerator of development where creators can focus on the core problem rather than sweat over being standard-compliant or worrying about the safety and security of the solutions they develop. 

Managing configuration, compliance, and security with one platform 

It is said that the average enterprise uses 20 different tools in its DevOps pipeline, creating a very messy and long toolchain. Organizations can either adopt point solutions such as these for each phase of their operations or adopt a consolidated solution like Progress Chef for configuration, compliance and security management.  

Progress Chef Infrastructure Management uses Infrastructure as a Code to manage all configurations across the IT fleet. While this automation technique keeps configuration drifts at bay, Progress Chef Compliance Management extends the same technique to use Policy as Code to provide automated compliance checks across the entire IT ecosystem.  

Chef Compliance enables IT teams to perform system hardening through continuous audits and remediation leveraging ready-to-use, certified and curated audit and remediation content to detect and fix security drifts in diverse IT fleets. 

It follows a comprehensive linear process of Acquire, Define, Monitor, Remediate and Reporting.


Chef Compliance helps across all stages of the compliance workflow: 

Acquire trusted content aligned to industry benchmarks for audit and remediation.  

Define compliance baselines and tune them to the organization’s unique needs.  

Monitor continuously and evaluate compliance posture by detecting deviations from the intended state at any point in the software delivery lifecycle. 

Remediate non-compliance with new remediation capabilities that address individual controls in alignment with audit tests. 

Report and create a single pane of glass report for visibility across heterogeneous environments. 

Close the loop and achieve continuous compliance with remediation 

Continuous compliance should cater to the entire process of CI/CD, which means that configurations and compliance checks should happen in every stage of product development. Thus, enabling security to be shifted left in the DevOps lifecycle.  

Compliance management continues beyond detection. Remediation is a natural and much-needed step to achieve desired states. Compliance management tools with additional ‘remediation capability’ help close the loop between audit and remediation to enable continuous compliance in the enterprise. 

Remediation functionality based on the bedrock of trusted, standards-based content facilitates compliance risks to be resolved faster, leading to faster delivery. Chef Compliance also has the extensibility and flexibility to customize pre-packaged remediation content that can be modified to accommodate corporate-specific needs through code. 

Configuration to Compliance: Insights  

Better configuration management leads to better compliance. Similarly, using a consolidated platform that can extend its capabilities from configuration management to compliance management accelerates time to market and keeps enterprises safe and secure. With Progress Chef, teams find it easy to move from configuration to compliance process using pre-packaged templates, getting a jumpstart using a platform that they are already familiar with. 

The combined and consolidated outcome of using Chef for configuration and compliance allows greater flexibility and collaboration in teams, accelerates time to value, reduces security risks and keeps enterprises focused on innovation. 

Read this whitepaper to know more about how to mitigate risks and maintain compliance across your IT estates

Get in touch with us to book a demo.