Compliance Spotlight: Beyond Checking Boxes

Back to Listing

06 December 2016


As an IT security professional, one of the biggest challenges I face is determining whether the system I am responsible for meets the applicable compliance requirements. I’m not talking about meeting them to pass a compliance audit, but actually meeting them on a continual basis, under all circumstances. When my System Admins need to troubleshoot, I want the system to be compliant. When an upgrade is made, I want the system to be compliant. I want the system to remain compliant and ensure that a means is in place to easily demonstrate that compliance to me.

In order to do this efficiently, the settings on the system should be mapped directly to compliance variables in the code. SIMP (System Integrity Management Platform) does this via Puppet and Hiera. There are many different compliance regulations depending on what type of system is being supported. I have primarily been responsible for measuring and reporting compliance with NIST 800-53 as well as the DISA STIG. In addition to meeting the regulatory requirements, I have been in positions that require determination of compliance with additional internal requirements based on procedural standards . By mapping variables in the code, I am able to easily update the file used by Hiera to add in my own specific internal compliance identifiers or comments. The Hiera mapping lists the compliance identifier as well as the expected value based on the compliance regulation.

Hiera Mapping

Okay, so the compliance variables are mapped in the code. Now what? Well, I want my system variables to remain compliant at all times (when possible). By utilizing Puppet, SIMP will force remediation if any of the values set are changed to a non-compliant value. This can be customized to occur at any interval that works for you. (My systems are usually set for 30 minutes.) Once this remediation value is set, it will be enforced accordingly. So, if an SA were to change remote root login to ‘true’ so he/she can troubleshoot an issue (and then forgets to set it back-never happens, right?) while the system puppet modules indicate it should be ‘false’, the value will automatically revert to ‘false’ when puppet runs again on the interval that you previously set.

With this Hiera-backed enforcement in place, I have achieved compliance automation with the compliance variables mapped in the code. In order to give me the fullest picture as a security professional, there remains one key feature–reporting. The Security Content Automation Protocol (SCAP) is “a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization”. OpenSCAP, included in the SIMP framework, can be utilized to report the compliance state of my system at any given time.

Hiera Validation

With SIMP’s COMPLIANCE MAPPER, I can now ensure compliance over time, and prove it with measures against regulations and procedures at any point in time. I can identify, validate, and comment on deviations from standards and regulations. All of this helps me do my job, which is not just checking boxes, but rather monitoring for continual compliance in all circumstances found in an operational environment.

About Lisa Umberger

Lisa is a Security and Compliance Engineer with 12 years experience supporting the DoD as an Information Security Engineer specializing in Cloud Security. Lisa is a respected security engineer in high-security environments, and brings her expertise to the commercial market. . Today, Lisa continues to increase her technical experience and knowledge, working as a Director and Security Engineer for Onyx Point Inc. In this role, she can be found contributing to policy mappings and policy review, incorporating agile and collaborative methodologies, advocating for DevSecOps workflow, and assisting clients in selecting and incorporating products in IT automation/security.

About Onyx Point

At Onyx Point, our engineers focus on Security, System Administration, Automation, Dataflow, and DevOps consulting for government and commercial clients. We offer professional services for Puppet, RedHat, SIMP, NiFi, GitLab, and the other solutions in place that keep your systems running securely and efficiently. We offer Open Source Software support and Engineering and Consulting services through GSA IT Schedule 70. As Open Source contributors and advocates, we encourage the use of FOSS products in Government as part of an overarching IT Efficiencies plan to reduce ongoing IT expenditures attributed to software licensing. Our support and contributions to Open Source, are just one of our many guiding principles

  • Customer First.
  • Security in All We Do.
  • Pursue Innovation with Integrity.
  • Communicate Openly and Respectfully.
  • Offer Your Talents, and Appreciate the Talents of Others

compliance, simp, puppet

Share this story

We work with these Technologies + Partners

puppet
gitlab
simp
beaker
redhat
`
AFCEA
GitHub
FOSSFeb