Security policy baseline deployment, why is it so challenging?

By Roy, on May 4th, 2016

A lot have been said about server security baselines, but still a great amount of heavily regulated organizations are struggling to show compliance with hardening baseline requirements.

 

Server security baseline deployments processes are rife with challenges. Whether organizations use scripts to manually brute-force their system-level compliance baseline, or perhaps leverage the common “Gold Disk” approach or GPO’s, achieving and maintaining security baseline compliance deployment remains largely an unsolved and constant challenge even for the most mature of IT organizations.

 

Applying a baseline to a newly deployed server or application is one thing, but validating compliance throughout the server and application lifecycle typically requires a separate set of tools and processes. As the main challenge deploying a baseline is to avoid affecting the server availability and causing downtime while ensuring the baseline is constantly enforced.

 

To add to the challenge, organizations have issues frequently arise around how to identify new systems that require baselining as they come online, and then immediately recognize what needs to be done on those systems in order to verify their compliance.

 

Examining the DOD STIG policy case:

Set-up and maintenance of server policy settings is by far the most time and labor intensive one in the STIG compliance requirements. In reality, vendor applications are rarely designed to operate in STIG environments. To allow these applications to operate, server policies must be manually adjusted on an application by application, server by server basis. The policy update process results in server downtime – both planned and unplanned. The estimated resources DoD organization spend on maintaining STIG baseline compliance excess of $10,000 annually, per server instance.

 

The DOD case is common for heavily regulated mid/large enterprises. While significant initiatives are underway within the organizations to automate auditing and compliance scanning of server policy, little has been done to automate the actual set-up and deployment of baseline security policies causing a lack of compliance and vulnerable servers.

 

CalCom CHS for MSFT SCOM/OMS is a server-hardening solution that addresses the needs of IT operations and security teams.  The CHS software-based solution implements a proactive, automated hardening approach that ensures that servers are constantly hardened, secured and compliant. The CHS three-step process automates security baseline policies deployment procedures in a cost effective fashion, eliminating server down time and configuration drifts.

 

Key Challenges Solved

 

Server hardening is critical for protecting against internal cyber threats and ensuring compliance with IT regulations. Server hardening tasks are costly, repetitive, and complicated to manage – for two main reasons:

 

  • Downtime and testing requirements. When using manual hardening methods or familiar hardening tools, the hardening process may affect OS or application functionality and cause server downtime.  In order to prevent downtime, IT teams spend long hours testing policies in lab environments before deploying them on servers in production environments.  During the testing process, servers may remain unhardened, leaving the organization vulnerable to attacks.
  • Configuration drift. The authorization of multiple privileged users in an enterprise environment makes it difficult to ensure that servers remain hardened.  Unauthorized changes by privileged users can expose vulnerabilities, requiring IT teams to repeat the hardening process on a regular basis.