Secure Critical Infrastructure with Continuous Compliance Standard

AUTHOR:

CHRIS GANACOPLOS, VP of East and Federal for Puppet Perforce IT Operations, Perforce

Background:

Many businesses do not prioritize compliance as a means of growth or include it at the top of their IT budget priorities. With the changing landscape of IT infrastructure in Public and Hybrid Cloud, it should be. According to the recent Ponemon Institute report, organizations with fewer people commit 14.3% of their IT Budgets to compliance in the United States. IT Automation can reduce compliance risk by letting operations teams be proactive with compliance related work. IT automation aligns with security and vulnerability risk to assess, remediate, and enforce by providing complete, real-time visibility into your IT infrastructure and enforcing security protocols.

We are looking for partners to help create a standard that looks at the components needed to secure critical infrastructure with continuous compliance, establishing the critical role of automation in meeting security requirements. There are many security frameworks to follow, but all should comply with standard requirements to help them automate and reduce compliance risk. This standard will incorporate how to help agencies and industry sustain compliance at scale, more easily prepare for audits, and integrate security and operations to achieve business outcomes.

The Problem: 

IT Operations primary function was to deliver infrastructure to the development teams to build and maintain business applications. Today, IT Operations spends about as much time securing infrastructure as delivering. Protecting transaction data, securing sensitive patient health records, or demonstrating the accuracy of corporate disclosures to auditors are just a few reasons why IT Operations spend critical time securing vulnerabilities and meeting regulatory compliance demands.

In addition to meeting regulatory demands, vertical industries are adopting mission-critical security standards. IT teams are tasked with implementing cyber best practices for the Center for Internet Security, adhering to guidelines like the National Institute of Standards and Technology, or meeting industry data and information guidelines like CMMC 2.0, PCI-DSS, FINRA, or HIPAA.

How Teams handle tasks associated with compliance related work directly impacts how much time and effort goes into meeting standard requirements. Here are a few to consider for secure critical infrastructure.

• What tools are used to ensure data at rest is encrypted using an acceptable encryption method like advanced encryption standard with strong enough keys.
• How are unauthorized changes to system configurations addressed to reduce the risk of configuration drift.
• Do your transport layer security best practices ensure systems consistently use the latest most robust TLS version and cipher configuration for secure communication.
• How is Network Time Protocol (NTP) verified so it is always configured across to synchronize all critical systems clocks and times.
• Are password policies and file permissions consistently enforced across all systems and services?
• Are systems consistently updated with the latest security patches and hardened against the latest exploits and vulnerabilities?
• What level of automation is in place to remove unneeded packages, system users, and services.

 

If someone sees one of these questions in an email from a compliance officer, it most likely means a vulnerability has been revealed. IT teams need to stop what they are doing and scramble to determine what department is using which encryption tool or what new user was able to set a password that could easily be hacked or compromised.

The biggest question is whether these security functions are being managed reactively or proactively and what policies are in place to ensure the IT Infrastructure remains compliant.

The Solution:

IT operations should rely on automation to deliver continuous compliance to synchronize policy enforcement by configuring hundreds of security settings across thousands of Windows and Linux servers. Once the settings are configured, they need to be changed frequently, with all the new threats and regulations being updated that create the need for continuous compliance. There needs to be more than just understanding the needs of the security compliance department. The proper process and technology must be implemented so everyone in the organization/agency adheres to all the security protocol needs and adapts to the ever-changing landscape. People, processes, and technology are what make any project, protocol, or culture successful. The same elements are needed to ensure secure critical infrastructure with continuous compliance.

A sound process allows teams to adhere to standards with systematic, prescriptive methods that make it easier to adopt, repeat, and scale. The process is built on Infrastructure with compliance as code, so documentation of the steps and the configurations are in the code. This policy as code makes preparing for audits and maintaining compliance much more manageable. The right technology stacks minimize risks and accelerate response times for better outcomes. People are more efficient and able to focus on value-driven initiatives. Reducing time spent on mundane tasks by automating minimizes the risk of errors while accelerating time to value.

The requirements:

We must determine the requirements now that we have established the importance of using Automation to build secure critical infrastructure with continuous compliance.

The requirements should have a proactive approach to IT Automation that remediates vulnerabilities while reducing the organization’s exposure to external attacks. The basis for the requirements should align with the outcome of reducing risk through continuous enforcement of regulatory and security policies so that the entire infrastructure maintains high compliance standards everywhere.

The automation tool needs to be able to scale endlessly. Performing manual tasks can only scale so far. Configuring fifty servers manually is possible but tedious. To manually scale five-hundred or even five-thousand server configurations or more is not possible. The configuration management practice can pass security audits easily. Automation of configuration management means the configuration can be described once, and then those settings can be applied to the entire infrastructure until the approver changes them.

Policy reviews frequently happen for accelerated growth, new technologies, and compliance requirements. The automation tool must be able to address ever-expanding regulatory standards. For example, the team may need to make the tech stack compliant with the General Data Protection Regulation for their European customers. Then, they get a requirement to implement the California Consumer Privacy Act for rules regarding data deletion and the definition of personal data with requirements for unique, secure communications with California residents’ information residing on servers. The government has recently enforced all Critical Unclassified Information living on servers to follow NIST 800-171 controls and be certified. Many more states and agencies are enforcing new regional privacy laws, causing servers and departments to be explicitly set to meet the emerging regulations. Some business units may need to adhere to different policies, which could lead to the need for additional tools. The best requirement is a tool continuously enforcing security and policy across the entire infrastructure that scales in hybrid environments.

The requirement standard should involve defining the infrastructure and policies as code. Infrastructure as code removes the burden of compliance from individual teams required to maintain security and compliance settings in the individual deployment environments. Another requirement is to quickly find servers that need to be appropriately configured or have made changes without proper authorization by individual deployments. A requirement is required to identify configuration changes that do not adhere to established policies. If a manual change is made in an individual system, the automated configuration manager should be able to make corrective changes and create a report immediately. The key to keeping all deployments compliant is to continuously monitor, enforce, and remediate using automation.

Automation of Compliance also makes it much easier to prepare for audits. Manually preparing to ensure each Virtual Machine, Container, or Server is compliant could take weeks or months. Enforcing that employees are not creating workarounds to bypass security procedures is often looked at by auditors. Automation can be used to make sure that standards are being enforced while preventing workarounds or shadow IT. Automation with compliance as code reduces the risk that none of these activities will occur in secure infrastructure and can be quickly reported to auditors. These automated reports make audits quicker with better results. They demonstrate compliance by showing auditors the infrastructure and how the systems are configured to meet all the security requirements.

Another requirement is the workflow relationship between DevOps and Security so that every time security identifies a compliance issue, and it does not delay or cause friction between the two teams. A requirement for Compliance as code builds policy into systems configurations. A Common compliance language that IT operations and Security can speak together will align the two much better. IT automation creates a seamless flow of data that allows for remediation before employees know it is needed. System configurations allow IT and security to rest easy, knowing they comply with automation. Reducing Compliance risk frees up IT to focus on strategic initiatives that accelerate growth.

Conclusion:

IT Operations and Security Compliance need to work together to standardize policies to ensure Secure Critical Infrastructure. To reduce risk, the two need to leverage configuration automation tools that are easy to implement and compliant with standards. We would love to have you collaborate with us on what requirements and metrics you think should be included in a secure critical infrastructure standard. If you want to get involved in our mission to help standardize and secure critical infrastructure, don’t hesitate to contact us or CISQ.

[email protected]