Configuration Management, Policies and Procedures

Don PetravickComputer Security Awareness Day.

Sept 29, 2009

So what’s configuration management?

• It’s a field of management that focuses on establishing and maintaining consistency of performance over a lifecycle.

• What kind of performance are we here to talk about?– Performance related to the lab’s policies.

• Policies of interest:– Security, Greenness, Licensing.

• What changes over the lifecycle of a computer?– Much change is centered around Installed software and

the software’s configuration– So that is our focus.

“True It Up”• Prohibited: “Violation of license and other computer

related contract provisions, particularly those that expose the laboratory to significant legal costs or damages.”

• Use case:– Vendor “A” sells licensed software at a modest cost per

computer. • No one user thinks procurement is “significant”• Procurements are ad hoc.

– One day, the Lab is informed the vendor would like to “true up” the license costs.• Vendor produces an estimate of a very high level of use of the

software. – Fermilab must produce an accurate inventory of installed copies

on all of its machines.

Secure It Up

• Fermilab GCE controls states that all desktops and personal workstations will display a screen saver requiring a password after designated timeout*

• Naively, a person may feel this setting is solely governed by their own preference, and alter the configuration.

• However, Auditors walk about the site at night, looking at desktops, find unlocked machine

• *unless there is a recognized compensating control

Green It Up

• Emerging Policy (from Draft):“Utilization – Computing assets will be operated in an energy efficient manner ... In particular, procedures define standards for power management of monitors, laptop displays and processing units, and resource utilization standards for printers. Computers that are managed by Fermilab will have these standards automatically applied.”

Forget configuration management, What is this all about?

• The lab as a whole aspires to high standards for the security of every machine at the Laboratory.– This is hard to achieve without focus.– An organized approach is the surest way to

achieve and sustain overall high performance. • The Lab makes a plan, and works to the plan.

– Plan must be expressed in a standard framework. – The plan has to be rooted in modern technical culture

» Usual techniques, and skill sets. (so we can staff it up_» Is organizationally defensible (separation of roles)

Outside scrutiny includes

• Auditors and Data Calls – Measure whether the lab works to its plan.

• Need to grasp what we are doing.– Plan needs to be coherent.– Presented in a framework they understand.

» There are conventions – we don’t get to invent.

– Auditors sample the population of things governed by the plan and draw general conclusions.• “how you do anything is how you do everything”• Because of the small sample, even single breaches seem to

be indicative of failing to work to the plan.

Lab as a whole is held accountable

• Saying we will all try hard in our own way is a non-starter.

• Seen as an indication of whether lab can work to a plan.

• It can be very hard to hold individuals accountable.– Configurations are detailed. – Do we really want to discipline someone because (say

the director’s, or your) screen saver settings were fumble-fingered?

So the Usual and Expected Direction is

• To adopt a structured approach.– To the extent possible remove detail-oriented

accountability from the end user and into a specialized function.

– To define the processes used by that function. • So that they can be continually improved.

• It is recognized that a structured approach reduces flexibility.– This causes stress and tension in the technically

able.

Deming Cycle : PDCA

Execute the planMake plans

And policies

See how well we are secured

Consider everything, figure out what to adjust

The High Level

• Specify a process framework to figure out– What needs to be controlled.– How to specify the configuration of controlled

items. “should-be”– How to deal with exceptional needs. – Monitor: “as-is” == “should-be”– Make “as-is” == “should-be”

• Status: work to realize this has begun under tune-it-up.

What Needs to be Controlled?

• Policy Controls Everything. • Additional Emphasis and Scrutiny for:

• Things of central concern• Platforms of significance.

– Where the lab is somehow accountable, even for lapses which seem insignificant to some.

– Currently:• Computer security• Greeness.

Two Kinds of Baselines

• Global:– Example -- All computers must be secured. – The baseline specifies necessary things, “shalls.”• If you cannot do what the baseline specifies, then there

must be a compensatory control.• Recognized via variance process.

• Statistical:– Example – n% of computers will be “green”.– Variance process – can grant relief for 100% - n%.

Configuration “layer cake”

Constrained by policy>

Constrained by policy>

Constrained by policy>

<Constrained by Baseline

<Constrained by baseline

< Constrained by Baseline

< Constrained by baseline

Configuration Element AttributesAttribute Example

Unique ID

Name Auto login not allowedRequired value GDM=?, KDM=?, XDM=?

Justification Security

Compliance Test Check GDM,KDM,XDM config files

How to comply

Enforcement action Become blocked

Grace period 1 day

CIO Delegates Management of Baseline to an Organization.

Process: Role: CIO– Determines the number and kind of baselines.– Determines the concerns controlled by the

baselines.– Authorizes the construction/update and

retirement of baselines. – Determines the organizational unit responsible for

managing the baseline– Provides guidance to baseline projects in the

areas of law, regulation, lab contract, and other external constraints.

Process: Role: Baseline Manager• Monitoring that the baseline achieves its purpose• Monitoring external triggers indicating a need to

update the baseline. • Running the continuous baseline lifecycle processes.– verify, announce, enforce

• Initiating and running the non-continuous baseline lifecycle processes as needed.– Compose/update, approve, communicate, deprecate, grant

variance• Recommending to the CIO that a baseline should be

deprecated.

What the role of Major and Minor Applications?

• Policy governs everything.• The baseline process governs systems in the

enclave that do not have major or minor application plans.

• Major and minor plans are formal security plans for systems that have stronger security requirements than provided for in the enclaves.– These often refer to the security baselines

What does this mean to me?

• U1 – “I just want my computer taken care of”– Be aware that the the level of monitoring of your

computer will increase, and be agent-based.– Be aware that the level of active management will

increased, and will become agent based. • U2 – “I want to take care of my computer”– The lab will consider all business needs for

distributed and self administration.– See U1.

Summary

• Confg Mgt? Sustain the perforamance of a system. – What kind of perf? Perf of concern.

• FNAL is implementing a process framework for specifying necessary security configuration, along with a variance process, for concerns and software of significance.– Security admin is complex and is done centrally.

• As framework matures, it will be backed by sensing and control agents on computers