Taking Advantage of Configuration Auditing
Recently, I've been studying configuration management in an attempt to better understand its benefits and the role it plays in an IT organization. Over the past few years, I've spoken to many IT folks about this subject. The conversation often turns into a deep explanation of how their particular organization's IT department, and company as a whole, operates. I've found that configuration management closely relates to the core of an organization's operations, including security, operations, and development.
Let's explain the various terms. Configuration auditing is the process of defining known-good configurations for systems, periodically checking that systems are in the known-good state, and if required, acting on the results to return a system to its known-good state. Compliance auditing is the very same process, however, the configuration settings are defined by a third-party standard (such as PCI DSS).
In order to take advantage of configuration/compliance auditing, several policies, procedures, and even cultural factors come into play. To give our readers a better understanding of these different elements, I reached out to Gene Kim.
Gene has done extensive research to understand what separates "good" IT organizations from "great" ones. His book, "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps" goes in depth on how to address the people side of IT, including how to align security, operations, and development. Configuration auditing plays a huge role in this process. Find out more about Gene's book "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win," coming out on January 15 and read his latest whitepaper, "The Top 11 Things You Need To Know About DevOps" to get more information on this topic.
"Trust but Verify"
I recently sat down with Gene and discussed good-to-great IT organizations, configuration auditing, and tips for successful security and operations processes.
I asked Gene what needs to be in place at the foundation of your IT organization to enable you to take advantage of configuration auditing. We agreed the major point is to embed security into the organization's daily operations. This has the added benefit of increasing your resources, rather than fighting systems administrators, making security part of the operations process.
Gene also underscored the importance of change control, defining configuration before you start the rollout or coding process. The code and environments are built at the same time, including development, QA, and production. This greatly reduces the situation where a configuration change is needed to improve security, but is impeded by developers who built code that won't work with the proposed change. Gene continued by saying, "People that continually make changes resulting in adverse effects are put into a role where they can no longer make changes." I believe there are many in security hearing that statement, nodding their heads in agreement, and likely already identifying similar situations in their own environment where configuration change should be restricted.
I also asked Gene to comment on the effectiveness of configuration management, as some lose sight as to how it can contribute to preventing attacks. In response, Gene commented, "Configuration is the ultimate preventative control. Complexity is the enemy of security, and uniform configuration, even with security problems, is an easier problem to fix."
I wanted to highlight the importance of routers, switches, and virtualization, and how to make sure they're included in your processes. Gene suggested that you develop a repeatable way to deploy all systems such that you end up with something in production that you can trust, so that "tribal knowledge" exists for the device. In the end you have to be confident that all systems deployed are in a known-trusted, risk-reduced state. From deploying firewalls to software, development, operations, and security share a uniform process.
Conclusion and Listen to the Podcast
In summary, Gene highlighted the following ways for IT organizations to take advantage of configuration auditing.
- Embed security into your organization's daily operations
- Define configurations before the rollout or coding process to reduce future configuration changes
- Develop a repeatable way to deploy all systems so development, operations, and security share a uniform process