Security-Focused Configuration Management

Exploring guidance and best practices for configuration management with security “top of mind”

As an IT service management (ITSM) and cybersecurity practitioner, it is concerning when an ITSM team is not aware of the critical role that change and configuration management play in a strong cybersecurity posture. Similarly, it is concerning when a security team defines policy around configuration management, yet isn’t working with the ITSM team to instrument those policies in the service desk.

The lines of separation between the two teams have clearly become blurred and the walls of separation must come down. Configuration management must be defined based on security best practices and, at the same, time configuration management security policies must include industry best practices instrumented and automated via the ITSM team in the associated tools.


Enter: security-focused configuration management

Specifically, security-focused configuration management (SecCM) is the management and control of secure configurations for a system to enable security and facilitate the management of risk. SecCM builds on the general concepts, processes and activities of configuration management by focusing on the implementation and maintenance of the established security requirements of the organization and systems.

SecCM is focused on providing ITSM and security professionals with guidance and best practices for configuration management with security “top of mind.” This area of security has become so critical that the National Institute of Standards and Technology (NIST) has dedicated an entire publication to this topic. The NIST Special Publication 800-128 (NIST SP 800-128) “Guide for Security-Focused Configuration Management of Information Systems” can be found and downloaded from directly at no charge.

NIST SP 800-128 applies specifically to federal systems but, as we all know, what initially starts with federal mandates often becomes a flow-down requirement for any commercial entity providing goods and/or services to the federal government directly or through contractors.

This document provides configuration management concepts, principles and recommended security controls for information systems and organizations. NIST SP 800-128 assumes that information security is an integral part of an organization’s overall configuration management procedures.

SecCM activities include the identification and recording of configurations that impact the security posture of the system and the organization, and the consideration of security risks in approving the initial configuration. SecCM also includes the analysis of security implications based on changes to the system configuration, and the documentation of the approved and/or implemented changes.

As with other IT best practices, SecCM also suggests having defined roles such as a SecCM program manager, system security officer and authorizing official. The roles and typical responsibilities are documented in the 800-128 publication.


Identifying security controls

The top number of security controls within the publication include:

  • Inventory Authorized & Unauthorized Devices: Be sure you know what’s connected to your network, including anything that is prohibited.
  • Inventory Authorized & Unauthorized Software: It’s important to know what operating systems and applications that are running, especially if anything is prohibited.
  • Secure Configurations for Hardware & Software: “Harden” or “shield” devices on your network to be able to withstand deliberate or accidental misuse.
  • Continuously Assess Vulnerabilities & Remediate: Always be on the lookout for weaknesses in your network’s and applications; eliminate vulnerabilities.
  • Control Use of Administrative Privileges: Institute role-based access, only assigning enough privilege to conduct their assigned and approved tasks.

Exploring the benefits of SecCM

There are many benefits to instituting a security-focused Configuration Management program, including, but not limited to:

  • Reduced risk of outages and security breaches through visibility and tracking of the changes to your systems.
  • Cost reduction by having detailed knowledge of all the elements of your configuration, avoiding wasteful duplication of your technology assets.
  • Improved experience for your customers and internal staff by rapidly detecting and correcting improper configurations that could negatively impact performance.
  • Strict control of your processes by defining and enforcing formal policies and procedures that govern asset identification, status monitoring and auditing.
  • Greater agility and faster problem resolution, enabling you to provide a higher quality of service and reduce software engineering costs.
  • Efficient change management by knowing your baseline configuration and having the visibility to design changes that avoid problems.
  • Quicker restoration of service during an outage as the configuration is documented and the restoration is automated.

A SecCM program is not for every company. But if an organization has IT assets it needs to keep safe from bad actors, aspects of this strategy will provide organizational benefits regardless of the size of the company.

Mike Battistella is the President of Solutions3 LLC, an IT Management Company focusing on cyber security management, network & systems management, IT service management, critical notification management and technical & soft skill training.