Configuration Management & Infosec Working Together Part 1

Configuration Management of an environment can be extremely unruly especially when an application or service grows at a rapid pace. It makes sense to automate configurations in order to maintain consistency and eliminate human error.

When implementing continuous integration and development or as some would say the “nirvana” of system operations and devops, most of the emphasis is on making the environment easier to deploy, easier to update, with little to no administrator involvement. I have found however information security professionals rarely consider using an automated configuration management system as an integral part of a security program.  There are tools that can do an audit, tools or scripts that can be used to make changes based audit findings but not many that I have seen that can audit a system and then take action based on the findings.  With the gap in technical disciplines and areas of focus between ITOPS, DEVOPS and InfoSec, it isn’t that surprising that tools like configuration management systems aren’t part of a security professional’s usual arsenal of tools.

The idea of using automated configuration management tools for security does seem to be evolving, projects like Hubble Stack https://hubblestack.io/ which is built on Saltstack https://saltstack.com/ aims to provide an auditing framework that automates the verification and reporting of a system’s compliance with CIS and or DISA STIG policies.  Hubble Stack by way of Saltstack will also be able to apply the necessary changes to remediate any systems found to be out of compliance.   This provides a central place to make changes allowing for quicker remediation.  With Hubble Stack implemented as a part of the SaltStack system, an organization can also deploy new systems that will be compliant with security policies at the time of launch.

Hubble Stack is a relatively new project, having been developed by Adobe and just recently made opensource so there are some initial limitations with it; no support for Windows, limited native alerting functionality, though these are on the roadmap and will eventually be part of the solution.  So while Hubble Stack may not work for every organization in its current state, the project had to walk before it could run and should eventually become a extremely useful and powerful tool for maintaining the security of critical infrastructure.

I’ll dive into Hubble Stack a bit more in future posts once I get some mileage with the project, but for now, check it out and if you want let me know your thoughts.

Cheers!

 

Hello world!

Yes the title is very cliche and however cliche it maybe it is an appropriate title for my first blog post. So, who am I, why am I starting a blog and most of all what is this blog going to be about.

The who am I is relatively easy, my name David Christensen and I have been working in technology for over 25 years.  I started my career in the US Air Force as an F-16 Avionics technician specializing in communications, cryptography, navigation, flight controls, weapons systems and electronic countermeasures.  After 5 years serving in the military I entered the civilian job market getting my start in the telecommunications industry working for companies like AT&T Wireless and BellSouth.  After several years building and maintaining digital wireless communication networks I migrated into the “datacom” industry aka Information Technology.

I got into IT during the dotcom explosion and I finished cutting my teeth in IT Operations right before the dotcom bubble burst.  When the bubble eventually did pop I found myself in a unique position having worked in both Wireless Telecom and IT so I got involved in the early days of Wireless Data, which evolved into 4G wireless.  After spending almost 5 years in the Wireless Data Industry my career began an organic progression into the software as a service space.  It started when I went to work for a software company that was in the beginning stages of it’s evolution from a traditional software company to one that hosted the service in it’s own data centers.  Experiencing this evolution and combining what I had learned up to this point provided me the solid foundation I needed to focus my career on IT Operations and Information Security, where I find myself today.

So why a blog?  I am humble enough not to think I know everything but confident enough to know I have experienced a lot and continue to experience a lot that I should share.  I enjoy having discussions about technology, passing along what I learn and providing my take on it all.  Most of all I hope to create discussions that not only help me but help others in the Information Technology and Information Security Field.

What will this blog be about?  I suppose I already provided some evidence of what the theme of this blog will be but to be more concise…it will contain information and topics about IT Operations #itops and Information Security #infosec and will probably also evolve into other technology related discussions that are TBD.

Finally, since this is my first blog post it is probably a good time to provide something regarding the significance of the blog’s name  “Nubble Point of View” and that of the lighthouse.  I spent a large part of my youth growing up in New England and almost every summer we visited the lighthouse at Nubble Point in York Maine.  The lighthouse sits on a small rock island 300 feet off the coast of Maine, misleadingly close but still far enough away surrounded by rough seas making it difficult to get to.  Every bit of what a lighthouse is and where the Nubble Point lighthouse sits symbolizes the technology related industries I have dedicated my career to so it was only fitting that I use this meaning for my blog.

Thank you for finding this blog and for taking the time to read any part of it.  I hope my efforts develop into something meaningful for those who take the time to visit.


David