MegaplanIT

MegaplanIT

Security & Compliance

Compliance Automation and Security Benchmarks

For a multitude of reasons, implementing some form of compliance automation can be extremely beneficial for companies that undergo annual efforts to meet various compliance framework standards. Through the use of automated solutions, the compliance burden that many companies face can be drastically reduced. Leveraging partial or full automation can help ensure that periodic tasks are executed timely and can help free up resources to focus on other tasks. Most compliance frameworks and standards that organizations must adhere to include periodic tasks as well as specific security benchmarks. Leveraging automation solutions and techniques can both increase compliance maintenance efficiency, but also strengthen the security posture of an organization.

Automation solutions can provide value to all organizations with both on-premise and cloud hosting environments; however, virtualized environments hosted in private or public clouds can provide a higher level of automation and thus more value to organizations. Automation tools can be as simple as scheduled tasks running scripts at the operating system level or they can be as robust as full orchestration of entire environments. The level to which an organization can automate security-related tasks can be scaled to whatever level is appropriate.

Below is one example of a common compliance-related periodic task as well as methods to provide assurance that security benchmarks are met and maintained through automation.

 

Inactive user accounts: Many compliance frameworks require that organizations ensure that inactive user accounts are disabled or removed after a specific period of time.

Linux: Password expiration configurations can be leveraged to disable inactive accounts by configuring “num_days” with the “inactive” modifier and specifying the target inactivity limit. Administrators can also configure “warn days” along with “num_days” to automate warnings to the users of the impending limit. Additionally, administrators can create a cron scheduled task to automate the parsing of logs periodically to notify administrators of user accounts that became inactive for manual processing or follow-up.

Windows: Create a scheduled task with PowerShell scripting to interrogate domain controllers for user accounts that have been inactive for close to the specified limit and have the script email users to warn them that their account will be disabled within “x” days. The script can then execute the disabling of user accounts when the hard limit is reached and can email a list of disabled accounts to systems and security administrators. By automating the initial user warning, users will have the opportunity to log on and reset the inactivity timeout, therefore, reducing the potential burden by eliminating the need to re-enable some accounts by administrators.

High-level orchestration of both Windows and Linux instances for user inactivity and other tasks can be accomplished with tools such as Ansible which has native support for common operating system platforms and cloud services. Chef is another similarly capable cross-platform tool that can be leveraged for compliance task automation. Furthermore, cloud hosting providers such as Azure and AWS have native compliance automation solutions available.

Maintaining compliance with security benchmarks: Most organizations adopt industry standards for system configurations such as CIS and are required to perform periodic audits to ensure that there have been no deviations from the standards.

Containers and Serverless: Application containers or serverless instances do not operate in the same manner; however, they share some configuration and management attributes that allow for effective automation of compliance tasks. Container solutions such as Kubernetes have available industry-accepted configuration standards such as CIS that can be used to measure instances against baselines. Various tools are available and are configurable for periodic scanning of both live container instances and static configuration files to identify vulnerabilities and drift from prescribed configuration standards. Some cloud providers offer pre-configured containers meeting hardening standards out of the box. Serverless is similarly flexible for meeting standards, but it is more dependent on the hosting provider. Serverless hosting providers often provide tools for the automation of periodic standards checks as well as vulnerability checks against serverless instances. Containers and serverless platforms offer the capabilities of not only allowing for automated periodic auditing of configuration states but also allowing for quick remediation and redeployment which in some cases may only take a matter of minutes.

Cloud hosting of OS platforms: Cloud hosting providers and their partners offer preconfigured OS platform images that are designed to meet industry standard security configurations such as CIS. Pre-configured images allow for quick deployment of hardened host instances; however, organizations may still need to meet requirements for periodic audits to ensure that there is no drift from the standards. Post-deployment, cloud hosting providers such as Azure and AWS offer services for the validation of host images and configurations. These validation solutions can be automated to run periodically, alert, and provide reporting to administrators. Remediation may not be as quick as what can be accomplished with containers and serverless, but the updating of images and re-deployment can be streamlined if proper operational procedures are in place. The native cloud services tools are commonly only a part of what organizations leverage for automation. Combining the native cloud service capabilities with orchestration tools can allow for even more effective automation and re-deployment when needed.

Cross-platform orchestration solutions: The previously mentioned orchestration solution providers, Chef and Ansible, provide powerful and broad capabilities in support of automated compliance tasks and assurance for meeting prescribed security benchmarks. These solutions and other similar solutions integrate with native operating system scripting engines to allow for periodic auditing, alerting, and reporting of compliance against the organization’s designated security benchmarks. The orchestration solutions also provide capabilities for timely remediation and re-deployment when required.

In closing, it is important to remember that the best automation solutions available are only as good as the organization that drives them. Automation can help meet compliance objectives and can ensure that security benchmarks are met, but a mature compliance program is required to manage providers and solutions to provide true compliance and assurance.

References:

https://www.cisecurity.org/

https://www.chef.io/

https://www.ansible.com/for/windows

https://docs.microsoft.com/en-us/azure/automation/security-controls-policy

https://aws.amazon.com/blogs/security/tag/automation/

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business