Configuration management ("CM") is a buzzword that gets tossed around quite a lot these days. Defined as the process of identifying, controlling, tracking, and auditing changes made to a baseline, configuration management is a critical part of a strong security program. Change and configuration management within an organization has strong connections to audit requirements in nearly all security frameworks and regulations.
For example, the AICPA SOC 2 requirements for Service Organizations requires:
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Meanwhile, ISO 27001 section 12.1.2 states the following:
Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.
Finally, the Center for Internet Security Top 20 Critical Security Control Number 5 states the following:
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Configuration management relies on the control and release of various product versions. Default configurations for operating systems and applications are often geared towards ease-of-deployment and ease-of-use and not cybersecurity best practices. Today, configuration management is an in-demand discipline with significant impacts related to cybersecurity, especially as organizations move from out of the box default configurations to more secure configurations of applications and hardware.
Today, configuration management means different things to different people. In some applications, it refers to the way network devices are configured. In others, it relates to the version of an application a team is running. Sometimes, people within the industry confuse IT asset management with change and configuration management. Though similar and equally important to the business, they are not the same. IT management solutions track, optimize, and manage assets across the entire asset lifestyle. CM, meanwhile, collects, stores, manages, updates, and analyzes all configuration items.
Despite many organizations having immature CM programs, it’s critical to the modern cybersecurity environment, and will only increase in importance as the threat landscape continues to evolve.
The Facts About Configuration Management
According to (ISC) 2, configuration management is “A process of identifying and documenting hardware components and software and the associated settings.” While it can be difficult for people who are not in the cybersecurity world to make sense of this, the goal of configuration management is to ensure you know what changes are made to complex systems and their impact. If something gets changed, does that break something else, or expose a new risk? Having a mature security program that incorporates change and configuration management will identify these issues.
Configuration management seeks to do a few things. First, it makes and documents changes to new technology components, which are then integrated into the overall cybersecurity environment. It also seeks to control changes and test documentation. At the end of the day, CM documents change to ensure systems work and are not at risk.
Configuration Management and Disaster Recovery
When it comes to modern disaster recovery, configuration management is essential. In the event of a cybersecurity disaster, (76% of organizations have experienced an IoT cybersecurity incident, after all) it can be impossible to recover to the most recent configuration if there is no documentation of said configuration.
The same goes for cybersecurity: it’s impossible for teams to know if something is amiss if there’s not a standardized way of configuring, changing, and documenting the digital environment.
Change management runs parallel with configuration management, although the two things are not the same. People confuse them all the time.
While configuration management is the process of identifying and documenting hardware components and software and the associated settings, change management is an underlying function of the larger configuration management process. Change management relates to the associated processes and seeks to create stability within a system and prevent uncontrolled or random changes or to document change processes when you have turnover within the organization. In other words, it allows companies to plan for change, rather than just reacting to it.
Here are some of the functions of modern change management:
- To implement administrative controls that weave themselves into organizational policies
- To create a formal review process for all proposed changes
- To ensure only approved changes are implemented
- To create a periodic re-assessment of the environment to discern the need for upgrades or changes to the foundational configuration.
The Change Management Process
Not all change management processes are created equal. Today, a well-structured change management process will include the following:
- Change request submittals
- Risk and impact assessments
- Approve/reject change functions
- Scheduling/user notification/training functions
One of the places change management thrives is in the event of emergency decisions, when changes must be made. Once the change has been implemented, it should be fed back into the change management process, where it will then benefit from the validation and documentation protocols that were already established.
The Future of Configuration Management
It's easy for IT managers, engineers, and other team members to get so bogged down in the details that it’s difficult to step back and answer the essential questions. In the midst of this, many teams struggle to define why a business needs configuration management tools and automation.
A form of IT automation, configuration, and change management both seek to enable easy access to accurate records, safeguard companies against cybersecurity threats, and perform essential functions like reducing outages and breaches and reducing costs. As such, change and configuration management are two of the most critical areas companies should focus on today and are a key component of a sound cybersecurity program.
Apptega provides software to help organizations build, manage and report on cybersecurity programs. Apptega helps to document and report on an a company's cybersecurity plans, including an organization’s change and configuration management, endpoint management and other components. We’d love to show you more on how we could help.