Change Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We just talked about the difference between
00:00
change management and configuration management.
00:00
We're going to talk about some of the subtleties
00:00
of the change management process
00:00
and roles in greater detail.
00:00
In this lesson, we want to talk about
00:00
the importance of change manager in the cloud.
00:00
Go into greater depth of
00:00
change management process and roles,
00:00
and talk about some of the best practices for
00:00
ensuring effective change management.
00:00
As we said that change management is really
00:00
the process of approving and
00:00
testing and confirming any changes
00:00
made to the cloud environment.
00:00
Now, I'll ask some philosophical question.
00:00
What constitutes a change?
00:00
Now, how an organization
00:00
defines a change that needs to be
00:00
subjected to the change manager process
00:00
is highly subjective.
00:00
It may depend on their organization,
00:00
but anything that may change the performance,
00:00
functionality, [LAUGHTER] or security of
00:00
an environment should most definitely be included
00:00
in that process however changes are defined.
00:00
Now, how are changes defined?
00:00
Well, this is where
00:00
the governance process comes into change management.
00:00
Most organizations should really have what's called a
00:00
Change Management Board or Change Control Board.
00:00
It goes by various names.
00:00
These are the people
00:00
who are really accountable for defining
00:00
change management standards and
00:00
approving changes that
00:00
>> are made to the Cloud environment.
00:00
>> Within this change management process,
00:00
we have this governance board
00:00
that may approve the changes,
00:00
and this can look very different.
00:00
I've seen change management processes
00:00
where there's a board that actually has
00:00
an actual meeting where
00:00
they review all of the proposed changes,
00:00
and they make a distinction between
00:00
changes that are excluded,
00:00
the typical change process,
00:00
and then emergency changes that need to be
00:00
made immediately to the system
00:00
to preserve functionality availability
00:00
or patch a zero-day security flaw,
00:00
and then they are approved by
00:00
the board retrospectively and documented.
00:00
Then I've also seen processes where
00:00
the Change Management Board has
00:00
done almost completely remotely.
00:00
Through a ticketing system,
00:00
people are on the board and they see
00:00
tickets come into the queue and all they
00:00
need to do is review the change and provide
00:00
a signature or comment to approve that change.
00:00
Then automated workflows can be built so
00:00
that you need a certain number of
00:00
people on the change control board
00:00
to approve a change before
00:00
that ticket enters into the queue to be acted upon.
00:00
We've had our change approved to the review board.
00:00
Now they talk about the process.
00:00
Well, first and foremost,
00:00
you need that baseline of the system,
00:00
which we talked about a little bit
00:00
in the configuration management,
00:00
then you need a system for receiving change requests.
00:00
That could be a ticketing system
00:00
of various kinds typically.
00:00
But you need some way of documenting proposed changes
00:00
so that their impacts can be evaluated and discussed.
00:00
That's really what the Change Control Board is
00:00
considering when it comes to the change.
00:00
Then once the change is
00:00
approved and authorized to be implemented,
00:00
it really should be tested.
00:00
Now the testing of a change may occur
00:00
prior and in the case of various software,
00:00
we always want to test that or patches are
00:00
going to be tested before they are actually applied.
00:00
But some changes [NOISE]
00:00
the testing can happen
00:00
after they're deployed in the environment.
00:00
There are some specifics to this.
00:00
Ultimately the changes deployed in
00:00
the environment where it's meant to occur,
00:00
and then there's the process of confirming and
00:00
testing that the change had the intended effect
00:00
and ultimately documenting that the change took
00:00
place so that in the event that
00:00
adverse activity or degradation functionality occurred,
00:00
you can look at and review their changes to roll back
00:00
any changes in order to try and
00:00
restore the environment to its previous state.
00:00
Another and very important and often
00:00
overlooked aspect of change management is that,
00:00
it's essential to train
00:00
employees on the change management process.
00:00
Then another important thing is that
00:00
the roles within the change
00:00
management process should be different.
00:00
The people on the change management board,
00:00
if the organization provides it,
00:00
should be different from the people testing
00:00
the changes and implementing
00:00
the changes and confirming the changes.
00:00
They're never should be an instance
00:00
where someone who submits
00:00
a change request is also the
00:00
>> implementer of that change.
00:00
>> There really should be a segregation
00:00
of duties from those who requested
00:00
the change and those who implement
00:00
that change once it's authorized.
00:00
Then you also want to ensure
00:00
that you have proper monitoring over
00:00
your environments to ensure that
00:00
any deviations or changes that should go through
00:00
the change management process are
00:00
detected and that there are
00:00
repercussions when people deviate from
00:00
the change management process and credential compromise,
00:00
the functionality or security of your cloud environments.
00:00
This reflective moment. What is
00:00
your change management process?
00:00
Some organizations have a very defined process
00:00
and it can look different,
00:00
but whatever it is,
00:00
if you're really accountable for
00:00
security in the cloud, in any perspective,
00:00
you should understand how changes are
00:00
authorized and applied to the Cloud environment.
00:00
Then how do you monitor for unauthorized changes?
00:00
It's naive to think that people
00:00
will stick rigidly to the change management process.
00:00
Even if people are trained,
00:00
there may be a gray area in terms of
00:00
what changes people think they can make or not make,
00:00
depending on their role and responsibility.
00:00
It's very important to be able to
00:00
define what unauthorized changes are,
00:00
and monitor the cloud environment.
00:00
In summary, we talked about change management.
00:00
We talked about the change management process,
00:00
we talked about various change manager roles,
00:00
we talked about the security best practices
00:00
such as imposing segregation of duties,
00:00
really defining what changes
00:00
must go through the change management process and
00:00
implementing proper monitoring to catch
00:00
any deviations from the change management process.
00:00
I'll see you in the next lesson.
Up Next