What is Configuration Management?
Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. For example, in routers or operating systems, manufacturers often set the default configurations with predefined passwords or pre-installed applications. When end users accept easily exploitable default configurations, it makes it easier for cyberattackers to gain unauthorized access to an organization’s data and has the potential to cause catastrophic data loss. Configuration management tools can help ensure that systems are properly configured for secure use. Specialized configuration management tools allow security professionals to understand what’s changing in their key assets and detect a breach early. These configuration management tools typically perform the following tasks:
- Classify and manage systems
- Modify base configurations
- Roll out new settings to applicable systems
- Automate patches and updates
- Identify problematic and noncompliant configurations
- Access and apply remediation
Configuration management most often applies to the following systems:
- Servers
- Databases and other storage systems
- Operating systems
- Networks
- Applications
- Software
According to the National Institute of Standards and Technology (NIST), security configuration management has four phases1:
Planning. This step involves developing policies and procedures for incorporating security configuration management into existing IT and other security programs, then disseminating this guidance throughout the organization.
Identifying and implementing configurations. This step involves creating, reviewing, approving and implementing a secure baseline configuration for the system is critical. The approach may address configuration settings, software loads, patch levels, the physical or logical arrangement of data, security control implementation and documentation.
Controlling configuration changes. Organizations ensure that changes are formally analyzed for their impact on security and are later tested and approved, prior to implementation. Organizations may employ a variety of restrictions on making changes to limit unauthorized or undocumented updates to the system.
Monitoring. This phase identifies previously undiscovered or undocumented system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which can expose organizations to increased risk. Automated tools help organizations to efficiently identify when the system is not consistent with the approved baseline configuration and when remediation actions are necessary.
1 Johnson et al., 2011, “NIST Special Publication 800-128: Guide for Security-Focused Configuration Management of Information Systems”