In a couple of earlier blog posts, I wrote an article about what characteristics would make a CMDB suitable for a “modern” DevOps-like environment. The first article talked about what characteristics one would like in such a CMDB. The second article evaluated the Assimilation Suite in terms of those characteristics. This article discusses how a CMDB can improve your security posture.
In today’s blog post, I’d like to do something similar – but looking at a CMDB from a security perspective. That is, this blog post is the first part of a discussion of what a security-oriented CMDB ought to look like and how it can improve your security posture.
To start this analysis, it’s good to start from the beginning – the three pillars of IT security: confidentiality, integrity, and availability. As you will see, a modern CMDB has the possibility of assisting with all three pillars.
A CMDB can improve your security posture
First and foremost – you cannot protect what you do not understand.
You cannot protect what you do not understand
Imagine trying to provide security for a college campus without an accurate map of the buildings, the routes between them. Of course from a security perspective, you’d want to know the number of doors and windows on each building and the paths and routes between them. Yet, without a detailed and up-to-date understanding of your environment in one place, that’s what many organizations try to do. Having a CMDB creates the possibility of having such a map – and all in one place.
Sun Tzu’s thinking on this subject is relevant “If you know your enemies and you know yourself, you will not be imperiled in one hundred battles”.
If you know your enemies and you know yourself, you will not be imperiled in one hundred battles”.
What your CMDB should do for you is help you understand yourself and what you’re protecting – at the appropriate level of detail – from a broad overview zooming in to excruciating detail.
I like Guurhart’s analysis on Peerlyst of what he wants it to help with – speed up incident response and compliance efforts. These address the first two pillars of IT security – confidentiality and integrity. To complete the picture I would add availability to his list, The idea of monitoring systems and services and have the ability to tell you instantly which services were not being monitored. Of course, having accurate up-to-date data always helps with security automation – which is key to all the security pillars.
With the proper design from the ground up, a modern real-time CMDB has the possibility of doing this. Of course, the data has to be complete, detailed, up to date, and require minimal effort to keep it that way. That’s the challenge.
In my next article on this subject, I go into all these things in more detail – and then hopefully follow up with an analysis of how well the Assimilation Suite fits these characteristics – or not. When all is said and done, it will be clear how the right CMDB can improve your security posture. In the third article in this series, I compare the Assimilation System Management Suite to the SOCMDB criteria I described.