By now, we know a lot about secure configuration management (SCM). We know the way it works, the integral processes of which it consists, the areas of your IT infrastructure that it can help secure as well as the different types of best practice frameworks and regulatory compliance standards with which it can help you to maintain compliance. All we’re missing is how to procure and deploy an effective SCM solution.

The word “effective” is key here. What you don’t want is a “checkbox” SCM tool that doesn’t meet all of your requirements. Sure, it might help you pass an audit if the auditor doesn’t dig too deeply, but it’ll likely lack support for specialized policies such as the National Institute of Standards and Technology (NIST) and the Payment Card Industry (PCI). It might also not have sufficient content or reporting capabilities to effectively scale across your enterprise.

Ultimately, checkbox SCM solutions are a waste of money. You want a tool that complexly supports your business needs. That’s why you need to approach the purchase of an SCM solution in a methodical way. This process should involve assessing your environment, asking SCM vendors certain key questions and keeping important deployment considerations in mind.

Assessing Your Environment

You should look at your IT and/or OT environment before you formulate a SCM strategy. In particular, you should investigate the following components of your environments to determine what type of tool will work best:

  • Hardware: You need to know what types of hardware a SCM solution requires to run properly. Does the prospective tool support the hardware found in your environment? If not, is it worth aligning your hardware to the solution in terms of money, time and business objectives? Along those same lines, can the (Read more...)