Security Configuration Management

System Hardening
Security Configuration Management
NIST says SCM is:
“The management and control
of configurations for an
information system with the
goal of enabling security and
managing risk”
The ability to create, edit and manage
IT security hardening policies in a way that
fits real-world business processes and
continually balances risk and productivity
On Many Short-term Buying Lists
© 451 Group 2013
the #1 priority
2nd most effective
3rd most important
(& 10)
GCHQ’s New Cyber Security Guidance
GCHQ released new
“10 Steps to Cyber
Security” in Fall 2012
Focused on executive
and board
Names Secure
Configurations as one
of the most critical
steps to achieving
an objective measure
of cybersecurity
“Configuration drift is a natural condition in every data
center environment due to the sheer number of ongoing
hardware and software changes.” – Continuity Software blog
“In less than a week,
all the configuration
controls, permissions
and entitlements that
IT spends time testing
are useless.”
– ITPCG blog
Monitors and assess critical configurations in:
• File systems
• Databases like MS-SQL, Oracle, IBM DB2 and Sybase
• Directory services and network devices
• Immediate detection of changes to critical, defense-dependant configurations
• Efficient, change-triggered configuration assessment
• Shorten time of system risk
Demonstrating Compliance:
• Document any waivers
• Document when tests went from failing to passing
• Alerted to tests going from passing to failng – within minutes or at least hours
Continually assess and remediate insecure
configurations, insuring always-hardened,
always-ready information systems and network