Maximizing Configuration Management IT Security Benefits with Puppet



Similar documents
Total Protection for Compliance: Unified IT Policy Auditing

Caretower s SIEM Managed Security Services

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Best Practices for PCI DSS V3.0 Network Security Compliance

IT Security & Compliance. On Time. On Budget. On Demand.

Managing Enterprise Devices and Apps using System Center Configuration Manager

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Trend Micro Cloud Security for Citrix CloudPlatform

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Endpoint Security for DeltaV Systems

BIG SHIFT TO CLOUD-BASED SECURITY

Trend Micro. Advanced Security Built for the Cloud

Cloud and Data Center Security

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

PCI Compliance for Cloud Applications

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

SAM Benefits Overview SAM SOFTWARE ASSET MANAGEMENT

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

The SIEM Evaluator s Guide

PCI DSS Top 10 Reports March 2011

Log Management Solution for IT Big Data

LOG MANAGEMENT: BEST PRACTICES

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

INTRODUCING isheriff CLOUD SECURITY

Configuration Management System:

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

10 Reasons Your Existing SIEM Isn t Good Enough

Preemptive security solutions for healthcare

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Clavister InSight TM. Protecting Values

IBM Security Intrusion Prevention Solutions

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

BSM for IT Governance, Risk and Compliance: NERC CIP

LANDesk Server Manager. Single Console Multi-Vendor Management Solution

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

EARTHLINK BUSINESS. Simplify the Complex

[Insert Company Logo]

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Information Technology Solutions

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Boosting enterprise security with integrated log management

Closing the Vulnerability Gap of Third- Party Patching

PCI Data Security Standards (DSS)

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

BMC s Security Strategy for ITSM in the SaaS Environment

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

END TO END DATA CENTRE SOLUTIONS COMPANY PROFILE

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Scalability in Log Management

Attack Intelligence: Why It Matters

Continuous Network Monitoring

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Click to edit Master title style. How To Choose The Right MSSP

NERC CIP VERSION 5 COMPLIANCE

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Department of Management Services. Request for Information

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Simply Sophisticated. Information Security and Compliance

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

RSA SIEM and DLP Infrastructure and Information Monitoring in One Solution

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

HP Server Automation Standard

security in the cloud White Paper Series

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Payment Card Industry Data Security Standard

How To Manage Security On A Networked Computer System

Strengthen security with intelligent identity and access management

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Client Security Risk Assessment Questionnaire

How To Protect Your Cloud From Attack

Enterprise Security Solutions

How To Buy Nitro Security

Devising a Server Protection Strategy with Trend Micro

External Supplier Control Requirements

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CDW PARTNER REVIEW GUIDE SOFTWARE LICENSE MANAGEMENT

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Microsoft IT Increases Security and Streamlines Antimalware Management by Using Microsoft Forefront Endpoint. Protection 2010.

Take Back Control in IT. Desktop & Server Management (DSM)

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Transcription:

White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops or implementing a virtualized cloud computing server farm, IT security plays a big role in IT planning and budgeting decisions. Despite large investments in technology and employee expertise, IT security remains a persistent headache with organizations across a spectrum of industries falling victim to attacks. Security spending reflects this increasingly costly threat. eweek recently cited Forrester research statistics that showed security spending increasing from 8.2% of overall IT budget in 2007 to 14% in 2010 1. While security encompasses a wide spectrum of technologies and specific organizational requirements, any best practice security plan will incorporate some form of configuration management process and technology. The basis of configuration management concerns itself with establishing and maintaining a known and consistent state of the physical and software elements on any given IT resource. When it comes to IT security, configuration management can play many roles including playing an important part in the following elements of a Information Security architecture: Establishing a Standard Operating Environment (SOE) and meeting IT security standards Reporting on or controlling configuration drift and providing change remediation 1 Supporting audit requirements and forensic analysis Providing configuration knowledge and insight to assist with security patch management This paper will examine the key security benefits of configuration management and will touch on how Puppet can help maximize these benefits. ESTABLISHING A STANDARD OPERATING ENVIRONMENT (SOE) AND MEETING SECURITY STANDARDS One of the first places that configuration management contributes to an organization s overall Information Security architecture and policy adherence is in establishing a Standard Operating Environment (SOE). SOE isn t complicated, it s the term used to describe a standard implementation of an operating system and its associated software 2. A SOE helps infrastructure and IT security teams set consistent, automated and managed IT security standards across their organization. Establishing a manageable number of SOEs across an organization s various platforms provides several key benefits: Provides a key element of a successful vulnerability management program

Reduces the time and cost of deploying and managing an organization s computers and applications Accelerates patch distribution by reducing the variety of computer configurations and automating patch deployment Accelerates IT security incidence response 2 Using configuration management tools like Puppet to support a SOE in an organization is an important element in meeting many security standards. A good example of this is the Payment Card Industry Data Security Standard (PCI DSS) requirement to Maintain a Vulnerability Management Program 3. In Requirement 6 of this Standard, the organization is required to develop and maintain secure systems and applications 4. This requirement covers a wide variety of IT security measures but specifically addresses change control, patch management and vulnerability assessment, all elements that are supported by configuration management processes and the maintenance of an SOE. The PCI DSS requirements document is also not the only standard that calls for establishing a secure environment. Maintaining a known configuration across an organizations computers and defining the processes for handling change on those devices is an IT security best practice and shows up in most IT security guidelines. This is one of the things that Puppet does best. Puppet allows an organization to define a desired state for their computers and quickly deploy that state across thousands of servers and desktop computers. Puppet supports change control by allowing organizations to define and update the desired state of their computers in the form of reusable modules that can predictably maintain and update computing resources. MANAGING AND REPORTING ON CONFIGURATION DRIFT Closely linked to SOEs and change control is the threat of configuration drift. Simply put, configuration drift is the change that occurs to software and hardware configurations that take them out of a supported SOE configuration. With the sheer size of today s data centers and enterprise computing environments, changes are inevitable and occur as a matter of course in running and supporting a computing environment. The danger of configuration drift is that changes can take computers out of a known secure and updated state and undermine other requirements like high availability and disaster recovery. The reason that configuration drift is so prevalent is that most organizations don t recognize that computer configurations have changed until they cause a problem. Organizations looking to establish their configuration management procedures and prevent configuration drift should ensure they meet the following objectives: Establish and ensure a standard baseline configuration This is the starting SOE and should be defined by the requirements of each SOE group. Their configuration should guarantee a homogeneous environment across these systems and should update only under known and approved circumstances. Identify and report on configuration drift An organization should have tools in place that can identify systems that no longer adhere to their intended SOE and report that to the appropriate administrator. Provide a change remediation capability Identified changes in SOE should be able to be reverted back to the approved SOE.

Configuration management automation tools like Puppet play an important role in minimizing the impact of configuration drift and maintaining a known SOE on computing resources. Configuration Drift Cycle 3 Establish Baseline SOE Monitor & Report Changes Change Control PATCHES UPDATES ADDITIONS GAINING CONFIGURATION KNOWLEDGE AND SIMPLIFYING PATCH MANAGEMENT Remediate if necessary One of the more resource intensive aspects of managing IT assets is security patch management. The pace of botnet and malware infection is at an all time high and the requirement to identify and patch vulnerabilities has never been more important. In 2010 McAfee identified over 14 million unique pieces of malware 5. They also indicated that they were seeing over 6,000,000 net botnet infections per month 6. As a result, every major security standard and regulation contains requirements for combating malware through patch management. Often times IT security patches are distributed in response to a time sensitive threat and the resulting fire drill consumes significant IT resources. Many times the source of the headache is simply determining which resources must be patched. The appropriate configuration management tools combined with a known SOE can make this process significantly easier. When it comes to IT security patch distribution, your configuration management software should be able to facilitate the following processes: Establish and monitor SOEs Effective patch management begins with knowing the state of your configuration on your IT assets in real time. SOEs reduce the variety of configurations to be dealt with and configuration management oversight can report on and remediate drift from these baseline configurations. Identify priorities for patch distribution IT security patch distribution then begins by identifying the appropriate SOEs and assets that are impacted by the new patch. IT administrators will immediately know which resources need the update instead of having to query each endpoint. Test patch on SOE Often the real time killer with IT security patching is testing. Because of the reactive nature and rapid distribution of IT security patches, it is essential to test the patch to ensure that it doesn t negatively impact critical hardware or software or open new security vulnerabilities. Without a reduced set of known SOEs this is an

almost impossible task. Known configurations allow IT groups to test on the effected configurations quickly and efficiently to ensure rapid distribution. Distribute patches as part of change control process Once the targets for patching are identified and the patch is tested, the patch can be distributed to the appropriate hosts. As a part of the standard change control process, the SOEs are updated and your configuration management software should immediately reflect the updated configurations. Validate and log successful patch outcome The results of the patching should be immediately available via reports and come with a complete audit trail of the actions taken on an endpoint. This audit trail proves that patching has occurred and is important in satisfying the audit and regulatory requirements for maintaining a vulnerability management process. Patch Distribution Essentials Prioritize Patch Distribution Establish SOEs Test Patch on Appropriate SOEs 4 Validate and Log Successful Patch Outcome Distribute Patch with Change Control Process CONFIGURATION MANAGEMENT COMPLIANCE RELEVANCE As we have mentioned in several of the sections above, configuration management plays an important role in many IT security standards and is called out in individual requirements. It is important to separate claims from unfortunate hype that can often be found around tools satisfying regulatory requirements. There is no single tool that can magically satisfy the requirements of a given regulation. Regulatory standards, by their nature encompass a wide variety of IT security processes and technology. Configuration management solutions like Puppet can be used to satisfy components of IT security regulations. Typically these requirements fall in one of the following categories:

Change control Many regulations specify implementing a change control process. One example of this is the PCI DSS standard. Requirement 6.4 calls for the organization to follow change control processes and procedures for all changes to system components 7. Requirements for change control can also be found in NIST 800-53 requirement CM-3 Configuration Change Control 8 and a variety of other regulations. 5 Auditing requirements Auditing is also required by the vast majority of IT security standards. The specific requirements vary by standard but maintaining a log of IT security patching and changes to an organization s SOE is common across many of them. Configuration management tools like Puppet record changes to endpoint configurations and log the user that made the change. Vulnerability management Vulnerability management and anti-malware readiness are uniformly included in IT security standards. The requirement to defend computers against attack and keep them updated with the latest patches is a cornerstone of IT security regulations. Whether an organization is working to meet PCI DSS, NIST 800-53, Sarbanes-Oxley, HIPAA, GLBA or other IT security standards, configuration management process and tools often play an important role in that process. Puppet has helped numerous customers meet IT security requirements and provide simple audit trails and reports to demonstrate adherence to specific guidelines. PUPPET CONFIGURATION MANAGEMENT When one is looking at the IT security capabilities of a specific configuration management tool, it is often helpful to review its specific IT security relevant features. The Puppet community and team is extremely well versed in IT security issues and Puppet was built to facilitate a scalable, predictable and secure configuration management process. In particular Puppet brings the following features to the table that support a secure computing environment: Scalable architecture Puppet s scalable, model-driven approach allows administrators to configure systems by defining their desired state in the form of reusable modules that can be quickly deployed across thousands of servers. Asset reporting Puppet s visual Dashboard and reporting tools give access to an automatically maintained asset inventory and all the relationships between each component and report every change. Change control Puppet can establish and enforce a Standard Operating Environment (SOE) so administrators know the state of their computing resources at any given time. Any changes to configurations or software are recorded and Puppet can be used to keep an IT resource in its desired state. Encrypted communications Puppet encrypts all communication channels between the management platform and individual endpoints. Controlled configuration information distribution Unlike many configuration management solutions that keep unnecessary configurations on individual nodes, Puppet restricts configuration management information to only the specific configuration used and needed by an individual node.

CONCLUSION Configuration management tools and processes play an important role in supporting a secure enterprise. Whether your goal is to establish a SOE, control configuration drift, manage and audit a change control process, or support vulnerability management and patch distribution, configuration management tools like Puppet are an essential element of the solution. 6 TRY PUPPET ENTERPRISE: The Power of Puppet Packaged for Your Enterprise & Cloud Environments Puppet Enterprise holds all the power of the open source distribution of Puppet plus built-in features that streamline installation and maintenance, and increase stability for the complex and fast-growing enterprise infrastructure. http://info.puppetlabs.com/download-pe2.html 1 Source: eweek Security: Security Spending Priorities for 2011 to Include Firewalls, Blocking Tools, http://www.eweek.com/c/a/security/security-spending-priorities-for-2011-to-include-firewalls-blocking- Tools-650650/, Slide 2 2 Source: Wikipedia Standard Operating Environment, http://en.wikipedia.org/wiki/standard_operating_environment 3 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, October 2010, p. 37 4 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, October 2010, p. 38 5 Source: McAfee Threats Report: Third Quarter 2010, p.10 6 IBID p.5 7 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, October 2010, p. 40 8 Source: NIST Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations, p.f-39 411 NW Park, Suite 500 Portland, OR 97209 (877) 380-6882 www.puppetlabs.com ABOUT PUPPET LABS Puppet Labs develops and commercially supports Puppet, the leading open source platform for enterprise systems management. With millions of nodes under management thousands of companies, including Twitter, Digg, Zynga, Genentech, Match.com, NYU, and Oracle, rely on Puppet to standardize the way their IT staff deploy and manage infrastructure in the enterprise and the cloud. 2011 Puppet Labs All trademarks and registered trademarks are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information