By now, we know a lot about secure configuration management (SCM). We know the way it works, the integral processes of which it consists, the areas of your IT infrastructure that it can help secure as well as the different types of best practice frameworks and regulatory compliance standards with which it can help you to maintain compliance. All we’re missing is how to procure and deploy an effective SCM solution.
The word “effective” is key here. What you don’t want is a “checkbox” SCM tool that doesn’t meet all of your requirements. Sure, it might help you pass an audit if the auditor doesn’t dig too deeply, but it’ll likely lack support for specialized policies such as the National Institute of Standards and Technology (NIST) and the Payment Card Industry (PCI). It might also not have sufficient content or reporting capabilities to effectively scale across your enterprise.
Ultimately, checkbox SCM solutions are a waste of money. You want a tool that supports your business needs. That’s why you need to approach the purchase of an SCM solution in a methodical way. This process should involve assessing your environment, asking SCM vendors certain key questions and keeping important deployment considerations in mind.
Assessing Your Environment
You should look at your IT and/or OT environment before you formulate a SCM strategy. In particular, you should investigate the following components of your environments to determine what type of tool will work best:
- Hardware: You need to know what types of hardware a SCM solution requires to run properly. Does the prospective tool support the hardware found in your environment? If not, is it worth aligning your hardware to the solution in terms of money, time and business objectives? Along those same lines, can the tool scale as the business grows?
- Location: You might not have your assets in one place. Perhaps you have a distributed environment, or perhaps you’re using a hybrid cloud model in which some of your assets are stored on premises and others are located in the cloud. Does the proposed tool support your assets regardless of location? And does it support all the major cloud vendors?
- Third-Party Tools: Does your environment rely on third-party tools such as threat intelligence sources, patch management apps and SIEM tools? If so, you want to make sure that a proposed SCM tool comes with the option of integrating with them.
- Internal Skills: Your organization might have admins who wear several hats including for security, or you might have a dedicated security team. Who do you want to own the SCM solution? Do you have enough internal expertise to manage the tool? If not, you might want to look into investing in a managed offering.
Engaging with an SCM Vendor
Once you’ve confirmed that a SCM tool will work with your environment, you can ask more detailed questions about how the solution works. In particular, you should consider asking the SCM vendor the following questions:
- What security controls are available for endpoint management through your solution? Are the policies for those controls managed through your console?
- What devices and apps does your product support?
- What best practice frameworks and/or regulatory compliance standards are supported?
- What kinds of reports can I create by default? How can I create a custom report?
- Do you have an in-house research team? How do they support your SCM solution?
- Are temporary devices supported by the tool?
- How do we optimize your management console? What does it need to run, what hierarchal management does it support and how customizable is it?
- How have you secured your solution? Is it supported by strong authentication? Pentests? A secure software development process?
- What is the scope of the solution upon purchase? How many devices can I protect with an initial license purchase? Is it possible for it to scale up?
- Do you have training and/or professional services available?
What to Keep in Mind for Deployment
Once you’ve chosen and purchased a license for the SCM tool, you can get into the work of deploying it. This effort should begin by preparing the hardware that’s needed to run the SCM tool. This will save time and money when the vendor’s professional services team or your internal folks start their work. You also want to make sure you know the tool’s port and service requirements to get everything up and running with the network team.
From there, you want to make sure subject matter experts are available for all applications into which you’ll be integrating the SCM tool. It’s then that you can get to work deploying the solution. You can do this either by educating your internal teams or by using professional services offered by the vendor to help you deploy or even remotely run the solution.
To learn more about the benefits of SCM, download Tripwire’s latest eBook “Mastering Configuration Management Across the Modern Enterprise: An Explorer’s Guide to SCM.”
For information on how Tripwire’s products can help support your organization’s SCM efforts, please download this Tripwire Enterprise datasheet.
FURTHER READING ON SCM:
- SCM: Understanding Its Place in Your Organization’s Digital Security Strategy
- 4 Areas of Your IT Infrastructure that SCM Can Help to Secure
- SCM in Practice: How to Strengthen Your Organization’s Security Processes
- Gearing Your Compliance Efforts to Your Next Audit Using SCM