Compliance Automation and Security Benchmarks

For a multitude of reasons, implementing some form of compliance automation can be extremely beneficial for companies that undergo annual efforts to meet various compliance framework standards. Through the use of automated solutions, the compliance burden that many companies face can be drastically reduced. Leveraging partial or full automation can help ensure that periodic tasks are executed timely and can help free up resources to focus on other tasks. Most compliance frameworks and standards that organizations must adhere to include periodic tasks as well as specific security benchmarks. Leveraging automation solutions and techniques can both increase compliance maintenance efficiency, but also strengthen the security posture of an organization.

Automation solutions can provide value to all organizations with both on-premise and cloud hosting environments; however, virtualized environments hosted in private or public clouds can provide a higher level of automation and thus more value to organizations. Automation tools can be as simple as scheduled tasks running scripts at the operating system level or they can be as robust as full orchestration of entire environments. The level to which an organization can automate security-related tasks can be scaled to whatever level is appropriate.

Below is one example of a common compliance-related periodic task as well as methods to provide assurance that security benchmarks are met and maintained through automation.

Inactive user accounts: Many compliance frameworks require that organizations ensure that inactive user accounts are disabled or removed after a specific period of time.

Linux: Password expiration configurations can be leveraged to disable inactive accounts by configuring “num_days” with the “inactive” modifier and specifying the target inactivity limit. Administrators can also configure “warn days” along with “num_days” to automate warnings to the users of the impending limit. Additionally, administrators can create a cron scheduled task to automate the parsing of logs periodically to notify administrators of user accounts that became inactive for manual processing or follow-up.

Windows: Create a scheduled task with PowerShell scripting to interrogate domain controllers for user accounts that have been inactive for close to the specified limit and have the script email users to warn them that their account will be disabled within “x” days. The script can then execute the disabling of user accounts when the hard limit is reached and can email a list of disabled accounts to systems and security administrators. By automating the initial user warning, users will have the opportunity to log on and reset the inactivity timeout, therefore, reducing the potential burden by eliminating the need to re-enable some accounts by administrators.

High-level orchestration of both Windows and Linux instances for user inactivity and other tasks can be accomplished with tools such as Ansible which has native support for common operating system platforms and cloud services. Chef is another similarly capable cross-platform tool that can be leveraged for compliance task automation. Furthermore, cloud hosting providers such as Azure and AWS have native compliance automation solutions available.

Maintaining compliance with security benchmarks: Most organizations adopt industry standards for system configurations such as CIS and are required to perform periodic audits to ensure that there have been no deviations from the standards.

Containers and Serverless: Application containers or serverless instances do not operate in the same manner; however, they share some configuration and management attributes that allow for effective automation of compliance tasks. Container solutions such as Kubernetes have available industry-accepted configuration standards such as CIS that can be used to measure instances against baselines. Various tools are available and are configurable for periodic scanning of both live container instances and static configuration files to identify vulnerabilities and drift from prescribed configuration standards. Some cloud providers offer pre-configured containers meeting hardening standards out of the box. Serverless is similarly flexible for meeting standards, but it is more dependent on the hosting provider. Serverless hosting providers often provide tools for the automation of periodic standards checks as well as vulnerability checks against serverless instances. Containers and serverless platforms offer the capabilities of not only allowing for automated periodic auditing of configuration states but also allowing for quick remediation and redeployment which in some cases may only take a matter of minutes.

Cloud hosting of OS platforms: Cloud hosting providers and their partners offer preconfigured OS platform images that are designed to meet industry standard security configurations such as CIS. Pre-configured images allow for quick deployment of hardened host instances; however, organizations may still need to meet requirements for periodic audits to ensure that there is no drift from the standards. Post-deployment, cloud hosting providers such as Azure and AWS offer services for the validation of host images and configurations. These validation solutions can be automated to run periodically, alert, and provide reporting to administrators. Remediation may not be as quick as what can be accomplished with containers and serverless, but the updating of images and re-deployment can be streamlined if proper operational procedures are in place. The native cloud services tools are commonly only a part of what organizations leverage for automation. Combining the native cloud service capabilities with orchestration tools can allow for even more effective automation and re-deployment when needed.

Cross-platform orchestration solutions: The previously mentioned orchestration solution providers, Chef and Ansible, provide powerful and broad capabilities in support of automated compliance tasks and assurance for meeting prescribed security benchmarks. These solutions and other similar solutions integrate with native operating system scripting engines to allow for periodic auditing, alerting, and reporting of compliance against the organization’s designated security benchmarks. The orchestration solutions also provide capabilities for timely remediation and re-deployment when required.

In closing, it is important to remember that the best automation solutions available are only as good as the organization that drives them. Automation can help meet compliance objectives and can ensure that security benchmarks are met, but a mature compliance program is required to manage providers and solutions to provide true compliance and assurance.

References:

https://www.cisecurity.org/

https://www.chef.io/

https://www.ansible.com/for/windows

https://docs.microsoft.com/en-us/azure/automation/security-controls-policy

https://aws.amazon.com/blogs/security/tag/automation/