Configuration Assurance – Naming the Elephant
This is the story of a dilemma solved. A Chief Information Security Officer (CISO) had time and again discovered problems with patching and configuration settings not matching agreed upon standards. It is our experience that many more organizations have the same need. It is our hope that sharing this story and our solution will also help others to get traction by naming the elephant.
It started with a dilemma. A Chief Information Security Officer (CISO) had time and again discovered problems such as:
- Mobile device patches months behind the agreed upon schedule
- Configuration settings not added to updated system images
- Network device settings not maintained with changes to topology
They had discussed the problem with the Chief Information Officer (CIO) who agreed it was time for a higher standard and better measurement.
Both executives also knew that without attention the problem would only grow since their company was planning to move more enterprise workloads to the cloud. The shared responsibility of security in the cloud, especially the aspects of client ownership of configuration settings, is widely recognized by industry experts and cloud providers as presenting either a big risk or, if done well, a big opportunity.
There was a need for new focus. The compliance and internal audit groups were absorbed by other priorities; they lacked the capacity and, in many cases, the technical skill set to fill the gap.
The security group needed to own the responsibility, to monitor and report the risks as well as drive the requirements. The function also needed a separation of duties from the infrastructure groups to avoid a conflict of interest.
In order to move forward, the CISO was searching for a way to name the elephant. In October 2021 they asked us for input.
We thought about the business case. Research on breaches had for several years shown configuration flaws to be a major pattern contributing to successful attacks. We’ll post a summary of that research as a part 2 to this story.
We coined the term Configuration Assurance.
It immediately resonated with all stakeholders. Once named, it became easy to describe and staff the function.
It is our experience that many more organizations have the same need. Like this client, many feel the gap but are not sure how to shift gears. It is our hope that sharing this story and our solution will also help others to get traction by naming the elephant.