How automation takes the time and guesswork out of security compliance
- By Brandon Shopp
- Aug 20, 2021
As this fiscal year wraps up, many agencies are planning their response to compliance reporting requirements. Meeting these requirements -- particularly in advance of an audit -- can be incredibly time-consuming. While the Defense Department has made managing risk easier through Security Technical Implementation Guides (STIGs), it’s still dependent upon IT staff to help ensure their systems are continuously secure and compliant -- throughout the year, not just at a point in time.
Government IT systems are complex, budgets are limited and threats are constantly evolving. Ensuring that those systems have the right security controls, processes and documentation in place to demonstrate compliance with security standards can be challenging, but the effort is highly manageable, especially with automation. Let’s consider how government IT professionals can use automation to take the time and guesswork out of compliance.
The problem with STIGs
A STIG is a set of security hardening standards and maintenance processes for networks, systems and platforms all DOD IT assets must comply with. There are hundreds of possible STIGs -- each with thousands of rules that must be followed -- and the number only continues to rise as new systems, versions and updates come online.
Monitoring server and network configurations against these compliance policies can be cumbersome. Even with the best change-control processes, it requires an army of people to manage and track all the configuration changes happening within the IT infrastructure. If a system has a particular STIG applied to it and happens to deviate from that control, how would system and network administrators know?
This is particularly problematic because these changes are happening all the time. A system or device can deviate from a STIG’s expected baseline configuration for any number of reasons -- such as a system update or when a patch is applied to a vulnerability. Sometimes the deviation is deliberate. For example, an application may not run properly without introducing permission or authorization settings that deviate from the STIG. In each of these instances, administrators must create an exception to the STIG. They must also explain and document the exception in preparation for an audit -- a painstaking process.
These manual, time-consuming compliance tasks can take weeks and cost a significant amount of taxpayer money to implement across applications, servers and networks.
How automation can help ease compliance
Automation is critical to lessening the compliance burden on IT pros and allows them to focus on other priorities.
Applications, systems and devices are constantly in flux, and staying on top of any configuration drift is challenging. This isn’t just a compliance issue. Any configuration changes in the IT infrastructure can lead to security breaches, outages and slowdowns.
However, with automation, administrators don’t have to monitor each system in a cache of thousands of IT assets for potential configuration changes. Instead, the moment a configuration starts to drift from baseline security tools, monitoring tools detect the change and proactively notify administrators in near-real-time. IT teams also have visibility into who has changed the configurations, what changed and the related performance impact.
With this insight, they can troubleshoot faster, eliminate vulnerabilities, improve security, build in exceptions and demonstrate compliance far more effectively and efficiently than manual processes will allow.
Automation can also remediate the tedious task of compliance reporting. Administrators can quickly produce FISMA and STIG reports from their configuration templates and easily generate audit documentation and reports -- work that would otherwise take weeks to complete.
Compliance automation can help break down the barriers between security and operations teams. System and network administrators must know their systems are configured in accordance with security policy, but they often lack access to the right tools. However, with the ability to monitor server and device configurations against compliance requirements, they can quickly identify and fix issues without burdening their peers in the security operations center.
Stepping up to automated compliance
Mitigating security risks is one of the most important tasks IT and network administrators undertake. It’s also one of the most complex, time consuming and costly -- particularly as it relates to compliance. This is where automation can really shine -- helping the entire federal IT team achieve compliance and deliver compliance reporting while lightening their load.
Brandon Shopp is VP of product strategy with SolarWinds.