In a previous blog post, I outlined the characteristics of a security-oriented CMDB (SOCMDB). In this article I give my somewhat-biased view of how well the Assimilation System Management Suite CMDB meets the criteria of an SOCMDB – answering the question – “How useful is the Assimilation CMDB for security?”.
How useful is the Assimilation CMDB for security?
In that previous article I covered both the criteria for measuring a SOCMDB, and why it’s important. Those of you who know me, are completely unsurprised that I’d want to compare it against those criteria – similar to how I compared it against DevOps criteria in an earlier article. So, here’s my personal take on how it matches the security-oriented CMDB characteristics outlined previously. In the next two sections, I use two different symbols: 🗹 is used to mean full compliance with the SOCMDB criteria, and 🗸is used to mean falling short of full compliance with the SOCMDB criteria we listed in the previous article. The absence of either symbol means that we don’t offer any capabilities in the area.
Here’s how we compare to the SOCMDB criteria from before:
- 🗹 Discovery-based. Everything in the Assimilation database is discovered. There is no manual effort required to either create or update this data.
- 🗹 Up-to-date – near real time. The Assimilation Suite keeps data in the database up to date within a few minutes in most cases.
- 🗹 Automated. The Assimilation Suite automatically updates all data in our CMDB as part of our fully automated continuous discovery process. Our APIs also make it easy to integrate our system with your other automation tools and workflow.
- 🗹 Integrated with compliance rules. The Assimilation suite implements compliance rules which are immediately evaluated when security-sensitive data changes in the infrastructure. These rules are fully customizable and extensible.
- 🗹 Highly extensible. All aspects of the Assimilation discovery, monitoring and compliance rules are easily extended. Moreover, since the Assimilation software is open source, this allows for the ultimate in extensibility. Basing our data storage on a schemaless database (like Neo4j) makes this extensibility natural.
- 🗹 Highly scalable. The system is architected to scale into the 100K server range. We have designed a secure custom protocol to support this goal. A nice side-effect of making it scalable is that it is extremely light on the network and does not create any central-server network hot spots.
- 🗹 Integration with monitoring systems. The Assimilation Suite fully integrates built-in server and service monitoring. This allows us to answer questions like “What services am I providing, but not monitoring?” as a quick query. Performing both discovery and monitoring in the same infrastructure is natural and straightforward. Integrating the monitoring with discovery means you never have to configure monitoring by hand – it happens automatically as a result of Assimilation discovery.
- 🗹 Must not set off network security alarms. None of our current discovery activities communicate over the network. Pings and port scans are never performed. The only communication we perform are heartbeats and communications over our port back and forth to the central server.
- 🗹 APIs to trigger external events when things change. Our infrastructure is oriented towards reporting changes. Every change in configuration or status triggers reporting back to client applications through our event API.
- 🗹 Relationships are first-class citizens. Our database is the Neo4j graph database – which supports relationships as first-class citizens.
- History of changes. This is an area where we fall significantly short of the ideal. Although the Assimilation Suite currently observes all the changes in the system in near-real-time it does not yet record this historical view. This is one of the areas where we have an open enhancement request.
- 🗸Tracking and reporting. We are partially compliant with the kinds of tracking and reporting mentioned. We provide reports on compliance issues, including triage-oriented reports that help you understand where you should put your effort to get maximum effect – along with numerous other reports. However, we don’t directly provide reports on unpatched vulnerabilities. For any given package, we can tell you what version you have on each machine, but do not yet know which of those are vulnerable.
- 🗹 Security Posture Score. We create and keep up to date a security posture score to permit tracking of your security posture over time. This score is aggregated across servers and also across security configuration domains, and provides information regarding how to approach improving your security in the most cost-effective way.
- 🗹 System administrator friendly. Installation of the tools is straightforward, and they do not require complex configuration. Since everything is driven by discovery, there is near-zero configuration to install and update the systems over time. In addition, the information we maintain is highly useful to system administrators and can completely replace Nagios-like monitoring systems – reducing their overall workload.
- 🗹 Secure. Although it’s well-known that security is not a binary quantity, the Assimilation system has been designed from the beginning with security in mind. This includes incorporating public key encryption into the custom communications protocol at a very low level.
- 🗹 Detailed. This area is one in which we are unusually strong. The original blog post had a large number of configuration items which were examples of the kinds of things which were key to validating security compliance – including visualizing your attack surface. All of those items except for those about database configuration are captured in our current database – since those have to be discovered separately for each database vendor. As noted earlier, it is straightforward to discover new security-related configuration items.
Although a certain amount of bias in my evaluation of the Assimilation Suite is inevitable, I believe the previous article was a reasonable set of criteria, which quite a few people found to be reasonable. Since these modern security-related criteria went into the design of the Assimilation CMDB and its features, it is not surprising that it meets those characteristics well. In answering the question – “How useful is the Assimilation CMDB for security?” – the answer is it’s a great tool to have in your security toolbox.