Security Laboratory

Security Laboratory

Configuration Management in the Security World

Adam Meyer
When you think of configuration management, what is the first thing that springs in your head? Usually when I ask people this question, I generally receive an answer along the lines of software development, or some type of engineering deliverable.

Traditionally, configuration management has its roots in the manufacturing and software development arenas; something that is an actual deliverable. Configuration management follows a linear path, similar to project management, and revolves around the control and release of different product versions. Until recently, security was not on the radar of configuration management professionals with the exception of the physical security.

However, for the past few years configuration (sometimes also referred as Change Management) has been finally gaining ground as a discipline that is in demand in the security world. Right now it is in its infant stages as vendors, and security professionals attempt to categorize or better define the role of configuration management in the security discipline. Depending on who you talk to configuration management can mean different things, it can mean how your network devices are configured, or it can mean what version of the application you are running, it could mean what was the last patch installed on your device., or the baselines hardware and applications that run on your devices.

Ask yourself, what does configuration management mean to you? Does it strictly revolve around CMM, or CMII? Does it involve an administrative only process such as a CCB? Now ask yourself who is the configuration management professional in your organization? Now ask yourself is this person also a security professional? If not they should be, and if you don’t have yourself a configuration management professional you better get one into your security department, and here’s why. Configuration management drives information security and information assurance. It’s in everything and is imbedded everywhere, but few people acknowledge this fact, and your organization may be suffering because of it. It’s how you manage your infrastructure, its how you manage your information security program, its how you build and manage your information security process.

Every security professional should have some type of configuration management skills in their tool box, along with everything else. It’s pointless to buy the best firewall on the market, and not have a good SOP to maintain its configuration so only authorized traffic crosses it. You should think of configuration management kind of like the tumbler within the lock on the front door of your home. You could buy a steel door, and put a tank of a lock on it to keep everyone out, but if you don’t configure the tumblers within the lock, anyone can get in and all of that time and effort is wasted. Lack of configuration management puts additional risk to your environment. The diagram below shows the many areas that configuration management resides within your security program.

As a rule of thumb, configuration management can be broken down into three distinctive disciplines for your environment, with all three of them having different requirements, process and tools. The three disciplines are:

  1. Business Process Infrastructure (Chain of Command, CCB)
  2. Operations and Services (Operational Group)
  3. End Products (technical group)
The Business Process Infrastructure weather you are federal government or commercial sector is the backbone for the rest of the organization. The business process is where the rules and responsibilities are identified, policy is written and accepted, and more importantly it is where the process is built in order to successfully manage the security posture of your organization. Your business process infrastructure is where your authority originates, and the correct people are given the correct level of authority and executive buy in order to make change with the organization as the security threat changes. Your business process infrastructure needs to be built with the mindset of accommodating change. Unfortunately, many organizations do not allow for enough flexibility in their change process that allows for rapid reconfiguration requirements, which are necessary in the security environment. Many configuration management professionals either put too little effort into accommodating change, or put to much effort in locking down the change with excess efforts making change difficult.

Examples of these deficiencies in proper business process infrastructure were the past Veterans Department data loss. Many security best practices where not enacted due to the executive leadership not giving the proper personnel the correct level of authority necessary in order to enact change. Additionally the Navy set its business process infrastructure into a bottleneck in order to attempt to get a handle on their information Assurance efforts.

Accommodating changes was not taken into consideration as a single point of failure was created which significantly reduce process flow. Configuration management plays a role in these efforts because the Configuration Management professionals should be the facilitators of this process. They are not the process owners, rather then the process facilitators. Configuration management owns the document creation, revisions, releases, and process improvement activities for the business process infrastructure, and influences best practices. A configuration management professional should be knowledgeable enough in security and information assurance in order to begin process improvement utilizing security best practices in the dosing of organization business process.

Once the security business process infrastructure framework is designed, documented, accepted and put under configuration control, the next area of concern is the configuration, and change controls of enterprise services and operations. This is completed by developing and taking configuration requirements operational. This also is a critical step in the building of the secure infrastructure, and is the meat and potatoes of providing a defense in depth to your organization. The authority is driven by the acceptance of the business process infrastructure, however, the operational needs, wants, and the protection profiles requirements to meet the need, and want requirements are developed within this operation framework. Configuration management again is the process facilitator, the CM professional needs to ensure their process flows take all operational services provided by the organization, can accommodate change within it from cradle to grave. A possible framework is displayed in the following figure.

This is a typical operational framework under configuration control for active management. The CM professional generally does not fill the role of making the sole decisions of the baseline configuration requirements for each domain within the framework, but is an active team member in the creation of the baseline standards. The CM role should be the primary facilitator of change to baseline framework, and ensure that the As-Built infrastructure is current in real time. The CM professional should be able to manage three different levels of enterprise architecture utilizing security best practices, the As-Built, the To-Be, and the As-Planned. Each area of focus has distinct security affects for the enterprise. The As-built is the real time operation of the enclave in real time directly supporting the mission of the organization. This is where the change management process controls what is built into the infrastructure, what data transverses the infrastructure and what is decommissioned from the infrastructure.

The To-Be environment is the next generation of the infrastructure that is needed to support the every fluid environment of today’s rapid reconfiguration requirements. The To-Be environment represents the near future architecture and protection profiles needed to sustain operations. This is where configuration management plays a large role within the enterprise architecture discipline. The CM professional should know everything about an organizations As-Built so that decision makers are armed with the correct data to make educated decisions about their architecture. Generally the To-Be is at a stage where actual hardware and software needs have been identified in detail, integration testing has been completed. The To-Be environment is where Information Systems Security Engineering (ISSE) process is at their best.

The As-Planned environment is the long term view of the organizations enclave. The As-Planned is generally high level architecture for propos3ed future needs wants. All needs start in the As-Planned stage of the life cycle, where they are more finally tuned to meet stricter and more defined requirements as they progress from the As-Planned to the To-Be, and finally into the As-Built. This is all facilitated by configuration management.

The COOP area of the framework again is not the sole property of configuration management but again they are a critical team member in the development of it. The CM professional should be able to assist any security professional with critical data required in order to effectively build the COOP elements. Configuration Management should know where assets are, what they are, what they are doing, and who they were doing it with. This gives security personnel which solid data to better assess backup strategies, critical devices, disaster recover prioritization, and business impact analysis. Generally document library control falls under the configuration management group for quality assurance, for which ISO 900 series is popular. As device, data flow, and capabilities are added and decommissioned from each environment, the COOP documentation needs to be consistently revised and released in order to capture the impact of the change.

Typical security practices are overlooked, since accommodating change is not front loaded into the environment, changes to the environment are not captured in the latest revision of the COOP, this in turn can be catastrophic in the event of an incident. The CONOPS is where the operation configurations requirements and processes reside. For the DOD the DIACAP Knowledge Service is a good example of where a CONOPS policy and process can be drafted from. The DIACAP Knowledge service controls are under DIACAP TAG configuration control. As threats change, the controls can be changed to assist in mitigating the threat. Configuration Management should maintain this operations document to reflect the current controls posture, setting the baseline for user operations. The CONOPS should outlines policy, and process required in order to fulfill the daily duties of the organization such as the firewall change process, Access controls levels, user roles, and responsibilities. The CONOPS is a living document that changes as the current threat changes in regards to normal operations. The CONOPS is an operational baseline and should also fall under configuration control.

The Audit domain in the framework is the checks and balances, as well as compliance area for the environment. Regular audits should always be included into all process with the organization in order to help maintain internal compliance. Audits not only provide a valuable metric in assessing your security posture overall, but it also provides a number of security improvement.
  • Organizational Compliance - Compliance does not result in good security, but good security does result in compliance, therefore, weather you are looking for FISMA or SOX type compliance you should be well on your way because you are a security practitioner, by being proactive, and not reactive.
  • Continuous Improvement - Audits allow the decision makers the ability to quantify if processes are effective, this allow decision makers the ability to intervene as integrity declines. The audit domain is the obvious; it is a method of checks and balances to maintain the appropriate security posture.
End product configuration management is the management of the As-Built devices themselves, and is generally where the current commercial tools venders are focusing on. This area of focus is also the most technical of all of the areas, and if developed properly in conjunction with the other configuration management areas is the most important. The end product configurations should be designed in the To-Be domain for operation deployment. When a new need and want is identified in the As-Planned architecture, then further analysis selects and actual product to perform that want, the baseline configuration for that device should be assembled. The CM professional should be the facilitator of this baseline, to maintain the security posture of the environment, by utilizing the System development life cycle, in addition to the information systems security engineering processes. This is where the CM professional Information Security engineer, and systems engineer should converge and team, to establish as baseline, that:
  1. Meets system requirements
  2. Meets security requirements
  3. Can be moved into the As-Built and integrate
Many times theses efforts are undertaken in different phases of system development, when in actuality they must be undertaken in a teaming environment. This is the reason why a Project Engineering Review Meeting ( PERM) should be utilized. The purpose of the PERM is to take an As-Planned requirement, and build a To-Be solution, for future transition into the AS-Built after approval from the CCB. The PERM is the critical exchange of communications, and talent that is generally missing from many organizations. Lack of a PERM type capability, is generally the sole reason why project fail, to either meet requirements, meet security needs, which in turn results in delays and cost overruns, in additional to putting additional risk to the infrastructure.

Configuration management is a growing discipline and can provide a solid backbone in order to maintain secure operations. The role is growing, and continuous to influence the IT realm as more and more capabilities with IT infrastructure. In order to practice true defense in depth, an identified and accepted configuration management role needs to be introduced into the security operations.

Defense in Depth can now be viewed in three dimensional terms. As security services, such as Cryptography, Firewalls, Intrusion detection and prevention are deployed, in addition to the CM framework, and building these solution based on the differing levels of IT will provide a robust security, operations, and compliance best practice.


Guess, Vincent C. (2002); CMII for Business Process Infrastructure; Scottsdale, AZ; Holly Publishing
A book outlining process, and methodology of CMII in the area of configuration management. CMII is project management, configuration management, and quality assurance integrated into one cohesive unit.

Information Assurance Solutions Technical; Directors, National Security Agency (2002); Information Assurance Technical Framework
The NSA released framework for information assurance best practices

Stacy, Timothy R.; The Information Security Program Maturity Grid
A position paper developed for the workshop for the National Institute of Standards and Technology outlines the interrelationships of the quality assurance, configuration management, and security disciplines

Stoneburner, G., Hayden C., Feringa A. (2004); Engineering Principles for Information Technology Security; Gaithersburg, MD; National Institute of Standards and Technology
A best practices guide from the NIST