Fotolia

Tip

Configuration management processes take down GRC challenges

Configuration management processes speed deployments, but tools that know effective licenses and data storage details aid in another area that businesses are keen to get right.

Some companies adopt configuration management processes for compliance with standards and regulations, rather than for faster deployments -- although no one complains when updates go live sooner.

Configuration management systems enable IT staff to configure, update and patch systems more efficiently and effectively. Configuration management tools' ability to combat an organization's governance, risk management and compliance (GRC) challenges is an oft-overlooked, but significant, benefit.

An organization has a set of policies by which it must abide, determined by its vertical -- such as healthcare or security -- and client base. Compliance is management's responsibility; activities and data have to comply with legal requirements and relevant regulations or standards.

Author's note: Governing policies balance against the organization's risk profile; if the costs of being noncompliant are lower than the costs of meeting compliance, the organization may opt to carry that risk rather than alter its practices.

Configuration management processes to the rescue

An organization's data, information and intellectual property are tied up with technology. Information is created and maintained on storage arrays and read by applications that run on servers accessing the data across networks. When management understands the connections between each of these components, they can much better assess the organization's overall IT estate and subsequently use the insights to address GRC challenges.

For example, a customer relationship management system runs on server platform A using storage system A connected via network A. This relationship is simple to map out and manage with policies. However, analytics system 4 runs on server platform E, connected via network 6, and creates a copy of some of the data on storage system Y -- this relationship is more complex.

Configuration management systems can operate in discovery mode to identify these existing entities -- storage system A to Y, for example -- across an IT platform. Configuration management tools that are purely focused on software or hardware are less adept at addressing GRC through discovery processes. Admins should seek a configuration management tool that finds both types of entities as it will ease the burden of identifying dependencies between systems.

An admin receives a comprehensive map of the hardware across the IT estate -- and what software runs on it -- through this discovery-targeted configuration management process. This enables the admin to determine if there is basic compliance in software licensing and if hardware assets match existing contracts. The discovery information from configuration management tools can also uncover rogue equipment on the platform. Discoveries should show what assets appeared in the IT estate through shadow IT, so that operations admins can bring them under proper control. It can also flag things such as unauthorized Wi-Fi access points and other equipment that could grant malicious network access. Good configuration management processes also catalog user devices: tablets, smartphones, laptops and other computers on the network. Check the configuration of these devices as they touch the network, and grant access only if they meet a set of basic policies. For example, the device must have antivirus software installed or connect via a virtual private network.

A configuration management discovery system that continuously monitors the network can raise an alert when it identifies new equipment at the data center, business or user level.

Asset discovery creates the basic database for an ongoing strategy to combat GRC challenges. A configuration management database (CMDB) holds enough data on all elements of the hardware and software to enable admins to search for patterns and usage -- for example, all applications that haven't been used for a specified period of time or all hardware running at a given utilization rate.

Secure IT platforms rely on anomaly detection from these tools. An application that hasn't been used for a long time is suddenly active. Hardware that normally runs at between 10% and 30% utilization is suddenly running at 80%. What system or user connections could have caused this change, and could these be malicious?

Tools for GRC improvement

Tracking behavior throughout the application stack requires a mix of different types of configuration management tools. Older-style configuration management is more hardware-focused, but still software-capable. Investigate these CMDB-centric systems management tools from vendors such as CA Technologies, BMC Software, ServiceNow and Axios Systems. Also, deploy the more DevOps-focused software configuration management tools for GRC. Companies such as Chef and Puppet and open source tools like Jenkins make application, OS and configuration control a matter of policy. Businesses find that automated configuration setups keep servers in line with agreed-upon operational rules.

Other options exist outside of the traditional configuration management space.

For example, EnterpriseWeb, while not a classic configuration management tool vendor, provides a system that enables faster integration of technical functions across an IT estate. To do this, it carries out a full discovery phase and builds up a metadata model of the dependencies between systems. This model provides a base for GRC work.

Additionally, Edgewise Networks positions its product technology as trusted application networking. It creates a model of a network and identifies the links between different systems. Users can then decide whether a link should be allowed or blocked, laying out direct GRC policies across a distributed network. Edgewise Networks emerged from stealth in July 2017.

Configuration management processes and similar approaches should not just be used to make life easier for IT pros. Prove the tools' wider value in how they eliminate GRC challenges.

Next Steps

Form an information security maturity model

Ignorance is as far from bliss as a corporation can get

Political climate can't soften regulatory focus

Dig Deeper on Systems automation and orchestration