Security configuration management and resistance to change simplified by automating security configuration management with automation.
From the Ford Mustang and Dodge Challenger to the Cadillac Coupe De Ville, American cars were admired back in the 1970s. They were manufactured as they had always been—cars would come off the manufacturing line and be full of defects that would be fixed in the quality control process. It was the way it had always been. And we were happy.
Then the Japanese came along with their Toyota Production System (TPS) and changed the world. They taught us to optimize efficiency while assembling something defect-free from the get-go. And by doing so, you could save time, labor, and materials while building an equally worthy—and more affordable—vehicle. Since then, Six Sigma, Lean, and TPS have become the philosophies behind everything from manufacturing to corporate efficiencies to software development. What was once the source of skepticism is now the accepted norm.
SteelCloud’s COO Brian Hajost discussed configuration management, compliance and the resistance to changing how things have always been with automation in a recent podcast.
Automating security compliance is today’s iteration of TPS.
Automation has long been present in manufacturing, medicine, food service—pretty much every corner of the industry. But there remains skepticism about it in some corners regarding configuration management and hardening primarily driven by the same thought behind American auto manufacturing in the 70s—manual processes are the way it has always been done.
But that is becoming increasingly hard to justify when new cyberattacks happen every 39 seconds, mandates change frequently, processes need to be repeated every time there’s a software update, and users—along with their vulnerabilities—are more distributed than ever. If an organization is a government entity or interacts with their data on even a cursory scale, they need to comply with security mandates. Security Technical Implementation Guides (STIG) and Center for Internet Security (CIS) benchmarks provide security and configuration checklists government organizations must meet before deploying a system or application. And Cybersecurity Maturity Model Certification (CMMC) requires private organizations to harden many of the same endpoints before doing business with the government.
In short, as time goes on, our nation’s cybersecurity is becoming increasingly precarious, time-intensive, and cumbersome to manage. And while we think of “compliance” as a chore thrust upon us, “security” is a critical issue we can’t get enough. But here’s a little secret: because mandates are proven paths to security, the two are one and the same. And managing security to avoid drift or potential new vulnerabilities is just as critical as establishing security in the first place. By complying with government mandates, you commit to securing systems before they are deployed, each time an update is made, and continually while in use.
It’s a no-brainer that benefits everyone. So now, how do you make it leaner?
An automation solution built from the ground up for security compliance.
Automation is the key to making security compliance a more efficient and affordable process, particularly when hardening government-mandated STIG and CIS controls. Yet, some are still doing the same things the same way while encountering the same recurring problems repeatedly. After all, it’s familiar and how it has always been done. And if configuration management and compliance weren’t so important and so increasingly complex and demanding, that would be fine. But as demands grow, so does the need for an automated helping hand.
SteelCloud’s approach to configuration management is automated—and the most proven automated approach to system hardening of its kind in the Department of Defense. ConfigOS was built from the ground-up specifically to address every phase of DevOps security and in every type of environment, from air gap classified environments to regular on-prem environments to the cloud. It is purpose-built, not just to attain authority to operate (ATO) but to maintain it over time, scanning and remediating endpoints 24/7. More impressively, it can accomplish what it would take qualified engineer’s weeks or months to do in just an hour.
Like TPS, ConfigOS streamlines the process of creating a hardened system, creating efficiencies and benefits along the way to help you:
- Eliminate the need to hire high-priced, hard-to-find specialists. Any competent system administrator—including ones who have never heard of STIGs or CIS before—can become a STIG Ninja in less than two weeks.
- Speed time to deployment, market or use. ConfigOS drastically reduces the time to harden, making new applications and updates more immediately available for use.
- Produce maximum impact with minimal errors. Humans are prone to mistakes. Bots are not. So, while automation not only helps you respond to incidents more rapidly, it does so without time-consuming errors.
- Save time that can be put to better use. How many times have you thought about all the backlogged projects you could complete if only you had the time? With the time automation saves your team, you can now get to those projects.
- Heal the pain points of compliance. Rapid, error-free completion of work relieves the burden, cost, learning curve and stress of complying with complex security mandates.
- Reduce the costs of compliance. ConfigOS usually pays for itself and starts delivering an ROI with the first use. Since our founding in 2003, there hasn’t been one client complaint about cost.
- Boost morale. Ask a STIG specialist, and they’ll tell you it’s soul-crushing, repetitive, tedious work. Everyone is happier with automation.
The time to hesitate on security compliance automation is over.
Configuration and vulnerability management is foundational to securing our nation’s data. With STIG and CIS guidance on how to apply and maintain secure configurations, the process is well informed. And with automation from ConfigOS, a complex and infinitely important process is made manageable.
As more and more is asked of government agencies and their contractors regarding security, letting the machines do what they do best gives humans the breathing space to do what they do best. For more from this podcast, listen in.
Leave a comment