For example, if some of the configuration settings of a Windows or Linux operating system on which an
application operates are re-configured, the application will break. If an application requires specific
settings to operate and those settings are prohibited or blocked, the application will fail to load or operate.
And so on.
Often, server policies must be manually adjusted on an application by application, server by server basis
- a painstaking task that can take many weeks and often falls to system administrators, application
administrators or information assurance staff.
“There are thousands of IT staff that are tasked with addressing compliance manually, but many are not
experienced or trained in it,” says Hajost. “So, they muddle through, but the initial effort can take weeks
or even months.”
This is where automation can come into play. Software tools can automate implementation of a security
benchmark, even across complex and disparate environments with varying security policies.
ConfigOS from SteelCloud, currently supports more than 6,000 standard CIS and STIG configuration
settings. The software produces a domain-independent comprehensive policy “signature” including user-
defined documentation and policy waivers. In this step alone, weeks, or months of manual work can be
completed in an hour.
The signature and documentation are included in a secure, encrypted signature container that is used to
scan endpoints (laptops, desktops, physical/cloud servers) without being installed on any of them. The
time it takes to implement hundreds of configuration security settings on each endpoint is typically under
90 seconds and ConfigOS can handle multiple implementations at a time.
Hajost estimates automating the process reduces initial hardening time by 90 percent, while reducing
system security policy maintenance expenses by about 70 percent.
Automated software also simplifies ongoing compliance, which in IT is a constantly evolving process.
“New security updates are introduced periodically to account for newly discovered vulnerabilities as well
as changes and updates to by the vendors supplying the major operating environment components,”
explains Hajost.
Limiting Risk/Liability
Although automating configuration security settings can be of immense value, it is not intended to provide
a complete cyber security framework. Still, the automation and associated documentation provided can
play a critical role in reducing legal liability and attaining cyber insurance.