More money will be spent on cybersecurity in 2016 than ever before. But where will the money be spent? What are CSOs and CTOs most worried about?
According to an InformationWeek survey of CISOs, “managing complexity” and “enforcing security policies” were security professionals’ biggest challenges. And while their cloud worries centered around unauthorized access to customer information, in the last year a new concern climbed by 30%: “Inability to set or enforce security policy in cloud service-provider environment.”
Enterprise security teams are clearly finding it difficult to adapt security policies and compliance models to the cloud. This can be especially difficult in retail and commerce, where dozens or even hundreds of cloud and on-premises resources must be managed and orchestrated. But the most well-established method of both establishing and enforcing security policies in complex environments — recommended by NIST, the federal government, SANS Institute, Gartner, and nearly every major security standard — is a 15+ year old technology practice: configuration management.
Configuration Management: The Tool You Already Use, But Do Not Use Enough
Configuration management is the set of activities focused on “establishing and maintaining the integrity of products and systems” by controlling the processes for building, changing, and monitoring the configurations of systems. In other words, it has the power to tell a system what it should look like, and then maintain that system configuration over time.
The good news is that most IT teams already use configuration management. According to a survey released in February, 42% of enterprises use Puppet and 37% use Chef (many survey respondents likely overlap). Nearly 20% of enterprises plan to adopt Puppet or Chef next year.
The problem is that these practices are often siloed by department; the cloud DevOps team uses configuration management for deployment automation and instance bootstrapping, and the security team uses configuration management to govern complex datacenter systems — a widely-adopted practice that is called Secure Configuration Management by NIST and Gartner.
Enterprises now have an incredible opportunity: Take the highly effective and well-tested methodologies built by traditional systems experts over the last ten years, and apply them in the cloud to enforce security policies across complex multi-cloud deployments. In other words, develop a Secure Configuration Management practice so that you build a cloud that is secure by design, not secure by 3rd party tooling.
What is Secure Configuration Management?
Secure Configuration Management is the set of processes that allows you implement and maintain secure configurations. Here is what Secure Configuration Management looks like in practice, again adapted from NIST:
- The identification and recording of configurations that impact the security posture of the information system and the organization
- The consideration of security risks in approving the initial or “baseline” configuration
- The analysis of security implications of changes to the information system configuration
- The documentation of the approved/implemented changes.
We go into this process in great detail in our whitepaper, Continuous Compliance on AWS. Download now.
This may look complex, but it is actually simple: build a standard “template” for what your security configurations should look like, and then maintain that template rather than creating a hundred custom configurations for each new cloud project. The template gets changed, not individual virtual instances or networks. For security teams, this is revolutionary. Rather than spending months testing and reviewing each new cloud environment, the security team spends time upfront collaborating with systems teams to build a common standard, and then only needs to be involved when that standard changes and at other key points.
There are also huge technology and compliance benefits of this model. Here are just a few:
- You know exactly how every system is configured for security at any point in time
- You reduce the time and cost of deploying future systems; you do not have to rebuild security configurations or get them approved by security teams
- Your CM tool regularly “checks in” to your system to make sure your baseline configurations are maintained, meaning your system never suffers from “configuration drift”
- By centrally managing configuration, you discourage ad hoc work; any change made directly to the instance and not to the script will be overwritten when your CM tool runs anyway
- You simplify patching processes; IT patches can be distributed across every system rapidly and with a complete audit trail of what was patched where
- Auditors love it. You can tell them exactly how your system is configured, critical compliance features like logs and MFA can never be “forgotten”, and every change is centrally documented.
Outsource or Insource?
Secure Configuration Management is the method security teams must use to provide appropriate governance without slowing DevOps teams down. The main question is whether or not enterprises will have the time to build SOEs and set up these processes as they migrate to the public cloud. It requires training, a team of advanced DevOps engineers and Puppet/Chef experts, and months of work. While internal capabilities develop, outsourcing Secure Configuration Management set-up and maintenance to a 3rd party provider can protect cloud projects.
Retail security leaders are worried about their ability to keep up with the rate of system change in the cloud. Luckily, a technology that most already know and already use can be the answer to these cloud worries. At last, we have found a tool that both DevOps teams and security teams can love.