There’s a Russian proverb “overyai, no proveryai.” (Trust, but verify.) You trust your IT department to keep your systems up and running and configured in a secure manner.  But, do you verify those configurations?

As we all know, in the rush to get things done quickly, some things slip through the cracks. And most often, security seems to be what ends up between the couch cushions. Without a security policy for each platform running in your environment, the security and availability of your systems may be compromised.

This is why an important part of the security hygiene at many companies includes setting security controls for the operating system and applications running on these systems. As you know, setting the configuration controls for login, auditing, least privilege, etc. is just the first part in securing the environment. Testing your systems for secure configuration settings on an ongoing or continual basis has become the next part of proper security hygiene. There’s a reason CIS, NIST, ISO, and others have published standards for securing the platforms that you use and expect you to keep the systems in this state of being securely configured.

These standards extend into the cloud, as well.

After all, whether you’ve created an internal cloud to meet demand or reached into the public cloud to take advantage of Amazon, Microsoft, Google or others to buy computing resources, those platforms need to be configured securely. Oftentimes, you’ll be using a tool such as Chef or Puppet to configure these cloud resources, and they do a great job in setting things up both in the cloud and on-prem. But here’s where the “Trust but Verify” adage comes into the equation: even though you trust that your configuration tools are setting up the OS and applications correctly and (Read more...)