Configuration Management Considerations
Configuration Management is the key to system security and compliance. One of the primary roles of the configuration management process is to control the hardware and software, users, and the other things that make up the information system. Most importantly, it is to control access to these system resources. There are a number of ways to accomplish this control, and it is important to leverage existing controls when possible. There is no need for a number of controls doing the same thing. In other words, adding controls needs to be a well-thought-out process. One of the principles of managing the system is to reduce its scale and scope. This includes reducing access by users, systems, and devices. It is also reducing the system elements to only what is essential. This reduction in access by devices and users has an additional benefit in reducing the attack surface of the information system.
The attack surface includes all the elements of the system. These include the users, the people, the facilities, and the technologies (the data processing equipment, the system hardware and software, support infrastructure, etc.). For small systems with few users, there is less to control, and monitoring system behavior can be a relatively easier process. The management of systems with hundreds of users requires more resources to manage and control than smaller systems. It is the scale of the system that drives the complexity and cost. This point relates to reducing the system components and the attack surface to only what is essential.
Another consideration is the scope of the system; while scale is focused on the number of devices, the more there are, the bigger the scale, there is also the consideration of scope. Determining scope is the process of establishing what has access to the different capabilities of the system (devices) and the classes of information. Information management systems have a purpose or a function; they are built around manufacturing products, providing services, monitoring and controlling other things, etc. To accomplish their purpose, systems use resources, hardware, software, users, etc.; the number of resources is the scale of the system. The scope is what these resources have access to; it is the information they store, process, or transmit. An example is accounting; in organizations, the accounting department has system resources to collect and spend money, and access to these resources is restricted to a few users. The accounting scope is restricted to banking accounts, billing, check writing, etc., and access is restricted to authorized users and system devices. The scope is the subset of the scale, as the scope is focused on the storage, processing, and transmitting of accounting data. Defining scope allows the organization to define access requirements and establish configuration management controls.
The reality is that there is not much that can be discarded or reduced in system configurations; most companies are pretty lean in regard to IT assets. There is an obvious cost that is easily recognized in adding extra components and users. However, there is a strategy for reducing scale and scope, which is to reduce the capabilities of system devices. The question is, then, what capabilities can be reduced?
An approach to reducing system device capability is to restrict the ability of the device to access and store information. However, all devices need some capability to meet their role or functional requirements. For example, the users in the accounting department have computer desktops and laptops that are used in their accounting roles, and to meet their requirements, they need capabilities. The configuration management challenge is to define the required capabilities for these devices. In other words, configuration management must define how users can accomplish their tasks with minimal access to and storage of information. The point is devices that do not store information are considered out of scope. In many instances, users need only access to information; they do not need to store information on their devices. In most systems, information is no longer stored on the device; information is stored centrally on a local server or, most commonly, in the cloud. A solution can be a Virtual Desktop Infrastructure (VDI).
Here, the goal is to, again, reduce scope. That is, to reduce the capability of devices when possible; as capability is reduced, so is scope. As the scope is reduced, so are the attack surface, vulnerabilities, and risks. The VDI approach allows for a configuration that essentially turns the device into a terminal; as a terminal, there is no storage of information on the device, and the scope of the device is reduced. At the same time, this approach allows for other configurations that will allow for the storage of information. This is a configuration management solution that would result in multiple configurations on the same device. This would allow the device user to match the configuration to the task. In this example, the virtual desktop configuration would prevent accounting data from being stored on the device. At the same time, in another configuration, a “non-virtual desktop” configuration, it would allow for other functions applications to proceed.
.