What is configuration drift?
Configuration drift occurs when changes are made to an environment over time. It happens as new software is installed, settings are modified, and other changes are made to systems. When configuration drift occurs, environments that were once hardened may become vulnerable to exploitation by cyber criminals.
Configuration drift can happen both in the cloud and on-prem and is a threat in either case. For example, system configurations might change and remove or undo the settings that had hardened the system in the first place.
What is system hardening, and why is it important?
System hardening is the process of applying configuration settings that are recognized to minimize the system’s vulnerabilities to cyber and denial of service attacks. Typical changes include enabling secure password policies, disabling unnecessary services, and user rights assignment.
Hundreds of configuration changes may be required to fully harden a server environment. The CIS BenchmarksTM are secure configuration guidelines for over 150 technologies. They have been developed by consensus by a global group of cybersecurity experts and provide recommendations for secure configuration.
It is possible that future changes can undo some of the hardened security settings. While there are tools available that can automate the assessment and implementation of secure configuration settings, this process still requires manual involvement.
Preventing configuration drift in the cloud
Modern application architecture allows for the separation of the core operating system and application services. By using cloud automation and orchestration services, it is possible to start with a CIS Hardened Image and automate the installation and configuration of your application’s specific software requirements.
CIS Hardened Images are pre-configured to meet the security recommendations of the CIS Benchmarks. By using CIS Hardened Images, you can start secure and stay secure, knowing that each time you power-on a new image, it has been pre-configured to secure standards trusted by organizations around the globe.
Using CIS Hardened Images in conjunction with cloud automation and orchestration services, teams can continually integrate the newest CIS Hardened Image into their application testing and migration process. As updated images are tested and approved, they can replace the prior image ensuring that the latest hardened image is used.