If you’ve ever had to work in an IT shop bound by regulations and policies,
you know how much of a hassle it can be to integrate new infrastructure and
application components, while maintaining a compliant posture.
2018 has barely begun and we’ve already been hit with significant bad news about cyber vulnerabilities. Among others already disclosed during the new calendar year, both Intel and VMware have announced that major cyber flaws have been discovered in their products. And, of course, attempts to fix these issues are having negative impacts on some common anti-virus products.
This is certainly not unique to these tech giants since barely a week goes by without some significant cybersecurity flaw or breach being uncovered. It’s safe to say that these disturbing reports will not be coming to an end anytime soon.
Although it may sometimes feel like it, this doesn’t mean that we should all throw our hands up about how hopeless the cybersecurity situation has become. We can only play the hands we’ve been dealt, and that requires continued efforts at locking down our systems with the many powerful tools we have at our disposal.
Cyber Hygiene Best Practices
Whichever tools you determine are appropriate for your security needs, none will be effective unless one first follows sound cyber hygiene practices. Among the most important of these is ensuring your underlying system adheres to the latest security best practices and is, at the very least, compliant with industry standards and government cybersecurity regulations. Breaches that are advanced by either willful or negligent disregard for these universally acknowledged best practices can be hard to explain – or forgive.
While best practice “table stakes” can be overwhelmingly voluminous and complex to implement and maintain, one does not have to go it alone. In many cases, it’s now possible to transition an existing DevOps platform to a best practices DevSecOps approach, then maintain systems compliance via automated self-healing Continuous Diagnostics and Mitigation (CDM) routines.
Open Source Help
A powerful Open Source offering now available to help address this is known as SIMP (Systems Integrity Management Platform). SIMP was originally developed within the US Intelligence Community to enhance their own ATO (Authority to Operate, federal-speak for C&A) and compliance efforts and is now available for anyone to leverage via GitHub. It only seems fair that we can take advantage of SIMP since it was our tax dollars that funded its development!
Currently riding on the open source DevOps automation technology known as Puppet, SIMP continually scans an environment (in either a development and/or production phase) and provides current system status against a range of cybersecurity benchmarks. Among these are NIST 800-53, NIST 800-171, FIPS 140-2, HIPAA, SOX, PCI-DSS, DISA STIG and others. SIMP can operate within either an on-prem and/or cloud environment and, should a vulnerability be found, can automatically apply remediation actions to immediately correct the flaw, or simply report this information back for further study and action.
With SIMP’s ability to enhance the C&A process, as well as help ensure systems remain compliant once deployed, an organization’s human IT assets can confidently turn their focus to other urgent cyber issues that require attention.
For more information on this Open Source tool, visit the SIMP project website at simp-project.com, or download it at github.com/NationalSecurityAgency/SIMP.
We're excited to announce the general availability of SIMP Fundamentals training! The three-day course covers the principles and practical knowledge to assist you in customizing and maintaining the SIMP framework. Our first offering is scheduled to begin February 27th, 2018
Register now, only 15 slots available!
For the past year I have traveled all over the country to different technology events and conferences. This past weekend I found myself in Charlotte, NC at the Southeast LinuxFest or SELF. This is what I would call a grassroots event made up of a variety of technical people from all industries and all walks of life. And you know what?! I love this event! I met a retired military man in his 60’s that pen tests with the best of them. I met someone else who builds cars for a living who spends his free time on his passion; linux. The event staff are friendly, accommodating, and very appreciative of support.
SIMP (System Integrity Management Platform), powered by Puppet, is designed to establish and operate consistent state infrastructures. Too often, I hear organizations debate over whether to use Puppet or Ansible. This debate may be fueled by a team’s desires to reduce cost, the comfort and knowledge of staff, and a move to consolidate tooling in a given stack. My position is, why not both?
SIMP 6.0.0 is available for download. In this unified release, you can simply run SIMP 6.0, whether you have Red Hat 6 or 7. This release fully supports Puppet 4 and integrates better with Puppet Enterprise. Please see the Changelog for the relevant release information.
New and existing Government customers can now purchase both SIMP+SUPPORT and professional consulting services through GSA Advantage. This is a convenient and discounted purchasing option for our US Government customers, at 4% off of our commercial rates.
On November 28th, Onyx Point’s offer to the U.S. General Services Administration was accepted for final award under GSA IT Schedule 70 (GENERAL PURPOSE COMMERCIAL INFORMATION TECHNOLOGY EQUIPMENT, SOFTWARE, AND SERVICES). This contract, GS-35F-086GA, is a five-year agreement between Onyx Point, Inc. and the GSA to offer goods and services to government customers at a discounted rate from published commercial pricing. Our company President, Jay Stoner, notes “The award of our GSA contract marks a significant milestone for Onyx Point, as it allows us to better serve existing and future customers by offering our goods and services to the broader government community at a discounted rate. This award is the culmination of months of hard work by our employees and we are grateful for their efforts. We’re excited by this opportunity and look forward to working with the GSA. ”
As an IT security professional, one of the biggest challenges I face is determining whether the system I am responsible for meets the applicable compliance requirements. I’m not talking about meeting them to pass a compliance audit, but actually meeting them on a continual basis, under all circumstances. When my System Admins need to troubleshoot, I want the system to be compliant. When an upgrade is made, I want the system to be compliant. I want the system to remain compliant and ensure that a means is in place to easily demonstrate that compliance to me.
SIMP and its product steward, Onyx Point, Inc., were sponsors of Puppet Conf 2106. This year’s premier IT Automation conference was held in San Diego, California and highlighted product releases and improvements, technical break-outs, and security tracks to unite DevOps professionals over common interests and challenges.
The release of SIMP 6.0.0 Alpha is now available for community test and feedback. This release uses Puppet 4, which is distributed as a single RPM by the Puppet all-in-one (AIO) installer. Starting with 6.0.0, the SIMP version numbering scheme will follow Semantic Versioning 2.0.0. SIMP 6.0.0 will support all operating systems under that numbering scheme moving forward.
Here are some items of note about this release:
I’ve been tossing around the idea of improving the User Experience of SIMP. Part of that process has been trying to decide what that actually means. I believe good UX is really about trust. We start to trust ideas based on conversation about them. I believe the best user experience would come from a conversational system.
Configuration Management and Server Management have always gone hand-in-hand for me. In the beginning of my career, I was fortunate to learn Puppet and Linux at the same time which engaged me with both development and operational disciplines. This was my introduction to DevOps.
We are looking forward to PuppetConf 2015 this week. Add _SIMP- A Flexible Compliance Automation Framework _to your agenda! ‘trevor_vaughan’, Onyx Point Vice President, will be covering the basics and answering any questions you have about this open source compliance automation initiative. You can catch him on October 9th at 2:30pm in room B-113. For additional information, please view the full conference schedule.
Onyx Point Vice-President and co-founder, ‘trevor_vaughan’, will present The Systems Integrity Management Platform (SIMP) to the IT automation community at this year’s PuppetConf.