People Do What You Inspect, Not What You Expect

Written by

The recent security breach at Equifax and rash of AWS S3 bucket breaches demonstrate the technical and organizational challenges that make configuration and patching hard in large organizations or in the cloud.

In both scenarios, someone in the organization is responsible for updating a script or software that affects the security of the company’s data. While in each case, the work may boil down to the actions of a single individual, there are wider organizational issues that impact the security of systems on a broader scale.

So, how can companies solve these problems related to configuration and patching more effectively? Implementing processes and controls that provide transparency and tracking make problems visible. Once problems are visible, companies can find solutions to fix them.

Applying this thinking to configuration and patching, companies need to understand what software employees are installing on systems, especially those that host or have access to critical data. Some form of inventory and process for updating these systems needs to exist. The term for this type of tracking and control is configuration management.

The problem with old-school methodologies for security and configuration management was that they slowed companies down to the point of not being able to be competitive in the marketplace. Security reviews and a small team of experts allowed to make security-related changes eventually caused so many delays to projects that the pendulum swung the other way. Companies threw off the shackles of process and controls to move towards agile, DevOps and other forms of managing projects and operational tasks to be more like start-ups, throwing new applications up overnight into the cloud.

For companies moving applications to the cloud, a platform like Amazon AWS provides an opportunity for some ‘do-overs’ in the way companies manage security and configurations. Deployment strategies must take competing interests into account and identify potential issues in advance of roll-out. 

But while there are many approaches to automating security and compliance in AWS, what if your company is not running applications on a cloud platform? Although you’ll have to build a lot of the automation and tools yourself that you would find in a cloud platform like AWS, all the principles used in the cloud to automate security can technically be implemented in a non-cloud environment as well. 

Implementing systems and processes for inventory systems and software to know which applications may require patches or are running non-compliant configurations can be achieved in any environment. Automation — implemented by people who understand security – simply helps analyze systems more quickly and prevents human error.

Configuration management on every device in an environment, from phones and IoT devices to printers and networking equipment, may prove to be overwhelming and challenging. Companies should start with the assets that are most valuable and most damaging to the business if stolen or destroyed. 

Network, patching and deployment rules can be most stringent around systems that hold or have access to critical data. Configuration management and deployment systems are an important part of organizational security and companies should invest adequate resources to ensure they have visibility into software and configurations in their environments and can quickly fix security problems when they are identified. 

What’s hot on Infosecurity Magazine?