Change and Configuration Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Change and configuration management
00:00
in cloud environments.
00:00
In this lesson we're going to talk
00:00
about the importance of
00:00
configuration management in the cloud.
00:00
We're going to talk about the importance of
00:00
change management.
00:00
What is it? How is it defined?
00:00
What is the change management process?
00:00
Then we also want to talk about how can you
00:00
handle deviations
00:00
to configuration management in the cloud?
00:00
At a fundamental level,
00:00
change management and configuration management are
00:00
interrelated but separate things
00:00
within the cloud environment.
00:00
Configuration management is really
00:00
the approach to setting
00:00
the baseline settings for
00:00
systems and software in the cloud.
00:00
It's essential, as we've talked about
00:00
in virtually every lesson,
00:00
to set secure baselines for the version of software,
00:00
making sure that no unused services
00:00
there and locking down access control.
00:00
But that's why configuration
00:00
is so important and especially in cloud
00:00
where you're going to be provisioning and
00:00
breaking down servers potentially
00:00
depending on the business case,
00:00
often you want to have clear defined images and
00:00
baseline configurations for any new servers
00:00
that are spawned up to ensure that they
00:00
meet your organization's business
00:00
needs and security requirements.
00:00
Change management is really the process for making
00:00
updates or changes within the cloud environment.
00:00
You really want to ensure that any change that occurs
00:00
is reviewed and approved before
00:00
it is actually implemented and tested,
00:00
before it's implemented in a cloud environment.
00:00
You can see how configuration management really sets
00:00
the tone that's enforced by policies
00:00
or regulations and standards for
00:00
how systems and software are meant
00:00
to function in the cloud environment.
00:00
Change management is the complimentary process for
00:00
reviewing and making alterations to that configuration,
00:00
whether it's the individual components or adding
00:00
new systems or adding code to production environments.
00:00
Change management is how you
00:00
manage and evaluate those changes.
00:00
Now, like any perfect system,
00:00
they're going to be issues.
00:00
Exceptions. Now, why would you have
00:00
an exception to your configuration management standards?
00:00
I don't think there really should be
00:00
exceptions when it comes to change management.
00:00
We'll go into that a little bit more when we can talk in
00:00
greater detail about the change management process
00:00
and associated roles.
00:00
But there will be exceptions
00:00
when it comes to configuration management.
00:00
There may be instances where
00:00
users, projects or functions,
00:00
need to use a system or a version of
00:00
software that deviates from
00:00
the configuration baseline best practices.
00:00
One of the best ways to
00:00
handle these exceptions when they come up,
00:00
you're not going to have a lot of friends in
00:00
security if you just
00:00
deny any exceptions on the base of security.
00:00
Now if the risk is too high,
00:00
there may be an argument for that.
00:00
However, the reality is that they're going to be
00:00
instances where deviations may need to
00:00
occur to ensure a software performance.
00:00
The best way to handle it is first and foremost,
00:00
document and make sure you have a record and
00:00
way of managing exception and
00:00
deviations from the configuration baseline.
00:00
You should also be testing to detect any deviations.
00:00
If any are discovered and that those deviations get
00:00
documented and you are aware of any deviations
00:00
>> that could pose potential security risks.
00:00
>> Now, in order to reduce
00:00
the residual risk of these deviations,
00:00
you want to think about how you
00:00
can implement compensating controls.
00:00
Well, there's a better way where we could lock
00:00
down this environment could we implement sandboxing?
00:00
Could we isolate the process that needs to use
00:00
a version of a software or
00:00
configuration that deviates from the baseline?
00:00
You always want to think about how compensating
00:00
controls can be implemented within the cloud
00:00
with regards to exceptions to reduce
00:00
the residual risk to
00:00
an acceptable level for the business.
00:00
That's really your job as a
00:00
security professional when it comes to
00:00
exception management. Let's reflect a moment.
00:00
How is configuration management
00:00
done at your organization?
00:00
Organizations do configuration management
00:00
in very different ways,
00:00
but the cloud makes the orchestration
00:00
and implementation of
00:00
configuration management very easy to do and automate.
00:00
It makes checking the configuration of
00:00
any new servers that are created easy to do.
00:00
The difficult part is discipline within your
00:00
organization to define your configuration standards,
00:00
define those hardening standards,
00:00
and make sure that you are proactively monitoring
00:00
those standards for deviations
00:00
within your cloud environments.
00:00
That takes us to our next question,
00:00
what is the process for handling
00:00
configuration deviations?
00:00
Many organizations may not
00:00
be advanced enough to
00:00
be capturing every deviation from their configuration,
00:00
but that's one of the benefits of
00:00
the cloud that there are many tools that are built
00:00
into various cloud platforms to scan
00:00
the environment for
00:00
various deviations from configuration.
00:00
There really isn't much of
00:00
an excuse for losing control or not being
00:00
aware of differences in
00:00
configuration standards if your
00:00
cloud environment's properly configured.
00:00
In summary, we talked about
00:00
what configuration management is,
00:00
how it sets a baseline for
00:00
systems and software within the cloud environment.
00:00
We talked about change management.
00:00
Now this is really the process for reviewing,
00:00
approving, and testing changes in the cloud environment.
00:00
Then we talked about some
00:00
of the best practices when it comes to
00:00
handling deviations and exceptions
00:00
from the configuration baseline.
00:00
First and foremost, you should have monitoring in
00:00
place to detect any deviations.
00:00
Then when deviations are needed for a business case,
00:00
you could implement compensating controls to reduce
00:00
the risk of the overall deviation to acceptable limits.
00:00
I'll see you in the next lesson.
Up Next