As a designated HITRUST CSF Assessor, Wipfli encounters a lot of questions about cloud computing services and other technology solutions used to support compliance. This article series is intended to shed a little light on some of the most useful tools and features we’ve seen while performing assessments.
This series has already explored potential solutions that support five of the 19 CSF Assessment domains. Today’s article dives into another two domains.
The Configuration management domain is not inherently technical in nature. There is a lot of policy, procedure, collaboration, review, and approval involved. Yet tools can be used in this domain to help with management and compliance.
For endpoint management, Microsoft System Center includes numerous modules to help. As mentioned in the article addressing the Endpoint Protection domain, System Center also includes configuration management for updates related to software and security policy. If used in conjunction with Active Directory and sound group policy, an organization will have substantial control over endpoint configuration management.
Software configuration management (SCM) tools are part of the larger cross-disciplinary field of configuration management. SCM is defined as the task of tracking and controlling changes in the software, and SCM practices include revision control and the establishment of baselines. If something goes wrong, SCM can determine what was changed and who changed it. If a configuration is working well, SCM can determine how to replicate it across many hosts.
There are several tools available to help automate what used to be a highly manual process. Examples include Ansible, CFEngine, Puppet, and Chef. All of these tools provide a different graphical user interface and a slightly different spin on offerings, but for the purposes of HITRUST, they all provide the following features in one way or another.
- All are tools for automating configuration management, application deployment, and configuring tasks across an IT environment.
- Administrators, developers, and testers can run automation jobs at the push of a button, against multiple test environments.
- They can be used to deploy testing environments with specific configurations.
- They offer secure user management to only allow automation testing against an environment to which a user has access.
- Everything is logged and audited for reporting and review purposes.
- They include built-in communication and survey features so any new code will go through the correct approval and chain of custody steps before production deployment.
- They can be used to manage current versions of software/systems and archive older versions if recovery or review is needed.
- They can be used to keep code organized and appropriately labeled for easier collaboration between development and operations teams.
- They ensure that the organizationally defined configuration standard is always the actual state on the managed endpoints.
Those are just some of the features they have in common, but there are some factors that differentiate the various tools. Ansible advertises the fact that it is REST API based, which means just the engine can be used without the actual client. With the APIs, it would be possible to integrate Ansible’s toolset into already existing compliance and configuration applications.
Chef and Puppet advertise integration and partnerships, with both AWS and Azure. Beyond application management, Chef and Puppet can also be used to manage cloud-hosted infrastructure and resources.
A large part of this domain addresses vulnerability testing and management. There are abundant third-party vendors available to perform vulnerability/penetration testing on an organization’s environment (including Wipfli), but there are also tools available so that an organization can do some of this testing on their own, or use a completely managed security solution.
Since vulnerability management is so large in scope and includes a variety of different security subjects, the tool descriptions that follow likewise provide for a variety of different uses and features.
- Microsoft Azure. Previously, vulnerability testing an Azure environment would require completing a form and then getting approval from Microsoft. However, Microsoft has since partnered with Tinfoil Security whose vulnerability testing solution is now built into Azure web applications. The integration is focused on web application security, which is different from network penetration testing.
The service is advertised to continuously scan against over 60 types of vulnerabilities including the OWASP Top 10 (the most critical web application security flaws), as well as providing an organization detailed instructions on how to fix any uncovered vulnerability. Like other offerings through the Azure marketplace, this is not a free service.
AWS has a fairly new add-on called Amazon Inspector. It’s advertised as being an automated security assessment service that can help identify and remediate security issues.
AWS is also partnered with the company Tenable, through which all scans an organization would like to conduct are pre-authorized (thereby bypassing the approval process). Tenable’s Nessus Enterprise for AWS is advertised as able to scan for vulnerabilities, advanced threats, web application security, and compliance violations.
The company also asserts that its solution can achieve these scans where other vendors cannot due to the cloud environment and rapidly changing IP addresses. This is an important feature to note because one of the pitfalls when an organization moves its environment to the cloud is that it expects all of its on-premise tools to continue working as intended. Organizations quickly discover however, that they will no longer work due to dynamic IP address environments.
- Alert Logic. This solution offers two products: Alert Logic Cloud Defender and Alert Logic Cloud Insight. Both are designed to work with the AWS environment.
Cloud Defender is a fully managed cloud-based suite of security and compliance solutions for hybrid IT infrastructure (Security as a Service). This means that Alert Logic will deliver its services from the cloud into an organization’s environment.
Like PaaS, Alert Logic will be in charge of the majority of the program’s management and operation. It’s based on a pay-as-you-go subscription model and provides managed web application protection, network threat and vulnerability detection, security and compliance issue identification, and correlation of disparate security events.
Cloud Insight is a service that can integrate with AWS configuration. It provides automatic, real-time vulnerability assessments as new or changed elements appear in an organization’s AWS environment, along with focused remediation options for any vulnerabilities found. It also keeps track of an organization’s entire AWS asset inventory (a HITRUST requirement), and offers numerous reporting options.
- Qualys Cloud Platform. This offering gives a continuous view of security and compliance related to asset discovery, network security, web app security, threat protection, and compliance monitoring. Included are several vulnerability compliance tools.
Qualys Internet Scanners are used for perimeter scanning and scans publically facing devices via the Internet.
Qualys Cloud Agents are geared towards on-premise environments and are installed for use on laptops, desktops, servers, or virtual machines. The agents are used for scanning both on the perimeter and internally. They are advertised as able to extract and consolidate vulnerability and compliance data and update it continuously to their platform for analysis and correlation.
Qualys Scanner Appliances are physically installed within an organization and used for internal network scanning (also geared toward on-premise environments).
Qualys Virtual Scanner Appliances are software-based and advertised as being qualified to run on most virtual and cloud-based platforms (including AWS). The virtual appliances supplement the physical devices.
AlienVault, like many other offerings in this article series is a diverse suite (see article on Audit Logging and Monitoring). For vulnerability management, the solution offers a tool called AlienVault Unified Security Management (USM). The application contains a built-in vulnerability assessment tool and helps identify vulnerabilities, provides detailed reports on its findings, and helps with remediation. It also includes an asset discovery similar to the Qualys product, along with scanning and reporting features on-demand.
As cloud computing becomes a more commonplace approach for securing healthcare data, using such third-party tools can also help organizations address HITRUST compliance and meet the assurances required across the 19 CSF assessment domains. With the conclusion of this four-part article series, we’ve managed to present field insights with regard to seven of the 19 domains and the third-party tools that can help. For more information on the information in this series, or other tools, features, and questions about requirements for other CSF assessment domains, contact us.