How and why you should use automation to enforce security compliance
Enterprise IT is a vast network of highly varied, distributed systems. While DevOps and automation continue to ease lifecycle management processes, enterprises are still struggling to automate baseline system hardening. Why, in the age of IT automation, is it so hard to apply security controls?
- Third-party security baselines such as STIG and CIS have many complex controls for each system and application. It requires a high level of expertise and significant time to convert these security controls into quality automation and then to maintain them over time.
- Introducing security baselines to critical applications can be highly disruptive to business processes, so many revert to manual intervention. Automation can be quite brittle and has a potentially large blast radius, so automated baselines must be highly flexible to accommodate different application settings and requirements.
- Automation is only as good as its validation reporting. If your automation doesn’t score correctly when scanned, it causes annoying false positives and creates unnecessary work for the Security and Ops team–ultimately discouraging adoption.
At MindPoint Group, we’ve confronted these problems first-hand while consulting with a multitude of clients. We’ve used our deep experience in cybersecurity and the best open source tools on the market to develop a library of Ansible automation content capable of solving the last mile problem—how to provision and maintain compliant systems. In fact, developing this automation helped MindPoint Group reduce NASA’s time to compliance by 96%, from 3 hours per system config to 7 minutes.
This content repo — which we’ve lovingly named Lockdown Enterprise — is a SaaS-type offering which provides our customers access to libraries of certified automation code you can easily utilize regardless of what infrastructure tools you’re already invested in.
There are four major reasons why this platform is something you should seriously look into if you’re tasked with enforcing security compliance.
Reason 1: The Cost to Develop Automated Baselines In-House
I can’t pretend to know what it would cost your company to do this, but for comparison, let’s look at what launching this product has cost us.
- It takes one automation expert on the MPG team an average of 6 hours to automate each control, including the validation and remediation steps. Keep in mind that this does not include ongoing maintenance, which is needed as the operating systems and baselines are updated over time.
- REAL WORLD EXAMPLE: The RHEL 7 STIG has 243 controls in its baseline.
1 Resource * 6 Hours/Control * 243 Controls = 1,458 Hours
A Lockdown Enterprise subscriptions costs $25k per system baseline (Ex – RHEL 8 CIS). The cost difference between building your own vs. buying a certified service should be a no brainer.
Reason 2: LE is tested and scored against multiple formats
Lockdown Enterprise is developed to be infrastructure agnostic and certified as such with MPG’s testing framework. This means that the same RHEL 7 STIG Role (for example) is capable of securing bare metal, VM’s, and Containers, regardless of where they are hosted.
In addition to working well in heterogenous estates, Lockdown Enterprise content has built-in OpenSCAP scoring so that you can validate that the system was scored accurately. Use something else to scan systems such as Nessus? We’re as interested as you are in rooting out false positives, and we’ll support you to make that possible.
Reason 3: LE is built to give your organization power, flexibility, and transparency
To interoperate successfully in all environments, MPG made heavy use of tagging, grouping, and Ansible execution strategy in our code. With these features, your team has the capability to modify how the baseline runs without any code modifications. The result is that the Lockdown Enterprise baseline matches your internal policy and requirements.
Reason 4: Offload Maintenance Responsibilities
Third-party baselines, operating systems, and applications are frequently updated and improved over time. To stay compliant with regulatory requirements, your enterprise needs to respond when changes to a security baseline are released. As part of the Lockdown Enterprise subscription, MPG tracks changes and develops new content as updates are made to baselines, and new versions of software are released so, you never need to worry about a deprecated baseline during an audit.
With a comprehensive library of Ansible automation Roles for full-stack security (and the willingness to create a custom baseline upon request), Lockdown Enterprise makes it easy to adopt new technologies securely.