Configuration Management,

Policies and Procedures

Don Petravick
Computer Security Awareness Day.
Sept 29, 2009
So whats configuration management?
Its a field of management that focuses on establishing
and maintaining consistency of performance over a
lifecycle.
What kind of performance are we here to talk about?
Performance related to the labs policies.
Policies of interest:
Security, Greenness, Licensing.
What changes over the lifecycle of a computer?
Much change is centered around Installed software and
the softwares configuration
So that is our focus.



True It Up
Prohibited: Violation of license and other computer
related contract provisions, particularly those that expose
the laboratory to significant legal costs or damages.
Use case:
Vendor A sells licensed software at a modest cost per
computer.
No one user thinks procurement is significant
Procurements are ad hoc.
One day, the Lab is informed the vendor would like to true up
the license costs.
Vendor produces an estimate of a very high level of use of the
software.
Fermilab must produce an accurate inventory of installed copies
on all of its machines.
Secure It Up
Fermilab GCE controls states that all desktops and
personal workstations will display a screen saver
requiring a password after designated timeout*
Naively, a person may feel this setting is solely
governed by their own preference, and alter the
configuration.
However, Auditors walk about the site at night,
looking at desktops, find unlocked machine
*unless there is a recognized compensating control


Green It Up
Emerging Policy (from Draft):Utilization
Computing assets will be operated in an
energy efficient manner ... In particular,
procedures define standards for power
management of monitors, laptop displays and
processing units, and resource utilization
standards for printers. Computers that are
managed by Fermilab will have these
standards automatically applied.
Forget configuration management,
What is this all about?
The lab as a whole aspires to high standards
for the security of every machine at the
Laboratory.
This is hard to achieve without focus.
An organized approach is the surest way to
achieve and sustain overall high performance.
The Lab makes a plan, and works to the plan.
Plan must be expressed in a standard framework.
The plan has to be rooted in modern technical culture
Usual techniques, and skill sets. (so we can staff it up_
Is organizationally defensible (separation of roles)

Outside scrutiny includes
Auditors and Data Calls
Measure whether the lab works to its plan.
Need to grasp what we are doing.
Plan needs to be coherent.
Presented in a framework they understand.
There are conventions we dont get to invent.
Auditors sample the population of things governed by
the plan and draw general conclusions.
how you do anything is how you do everything
Because of the small sample, even single breaches seem to
be indicative of failing to work to the plan.
Lab as a whole is held accountable
Saying we will all try hard in our own way is a
non-starter.
Seen as an indication of whether lab can work to
a plan.
It can be very hard to hold individuals
accountable.
Configurations are detailed.
Do we really want to discipline someone because (say
the directors, or your) screen saver settings were
fumble-fingered?
So the Usual and Expected Direction is
To adopt a structured approach.
To the extent possible remove detail-oriented
accountability from the end user and into a
specialized function.
To define the processes used by that function.
So that they can be continually improved.
It is recognized that a structured approach
reduces flexibility.
This causes stress and tension in the technically
able.
Deming Cycle : PDCA
Execute
the plan
Make plans
And policies
See how well we are secured
Consider everything, figure out what to adjust
The High Level
Specify a process framework to figure out
What needs to be controlled.
How to specify the configuration of controlled
items. should-be
How to deal with exceptional needs.
Monitor: as-is == should-be
Make as-is == should-be
Status: work to realize this has begun under
tune-it-up.
What Needs to be Controlled?
Policy Controls Everything.
Additional Emphasis and Scrutiny for:
Things of central concern
Platforms of significance.
Where the lab is somehow accountable, even for
lapses which seem insignificant to some.
Currently:
Computer security
Greeness.
Two Kinds of Baselines
Global:
Example -- All computers must be secured.
The baseline specifies necessary things, shalls.
If you cannot do what the baseline specifies, then there
must be a compensatory control.
Recognized via variance process.
Statistical:
Example n% of computers will be green.
Variance process can grant relief for 100% - n%.

Configuration layer cake
Constrained by policy>
Constrained by policy>
Constrained by policy>
<Constrained by Baseline
<Constrained by baseline
< Constrained by Baseline
< Constrained by baseline
Configuration Element Attributes
Attribute Example
Unique ID
Name Auto login not allowed
Required value GDM=?, KDM=?, XDM=?
Justification Security
Compliance Test Check GDM,KDM,XDM config files
How to comply
Enforcement action Become blocked
Grace period 1 day
CIO Delegates Management of
Baseline to an Organization.
Process: Role: CIO
Determines the number and kind of baselines.
Determines the concerns controlled by the
baselines.
Authorizes the construction/update and
retirement of baselines.
Determines the organizational unit responsible for
managing the baseline
Provides guidance to baseline projects in the areas
of law, regulation, lab contract, and other external
constraints.

Process: Role: Baseline Manager
Monitoring that the baseline achieves its purpose
Monitoring external triggers indicating a need to
update the baseline.
Running the continuous baseline lifecycle processes.
verify, announce, enforce
Initiating and running the non-continuous baseline
lifecycle processes as needed.
Compose/update, approve, communicate, deprecate,
grant variance
Recommending to the CIO that a baseline should be
deprecated.
What the role of Major and Minor
Applications?
Policy governs everything.
The baseline process governs systems in the
enclave that do not have major or minor
application plans.
Major and minor plans are formal security
plans for systems that have stronger security
requirements than provided for in the
enclaves.
These often refer to the security baselines
What does this mean to me?
U1 I just want my computer taken care of
Be aware that the the level of monitoring of your
computer will increase, and be agent-based.
Be aware that the level of active management will
increased, and will become agent based.
U2 I want to take care of my computer
The lab will consider all business needs for
distributed and self administration.
See U1.


Summary
Confg Mgt? Sustain the perforamance of a
system.
What kind of perf? Perf of concern.
FNAL is implementing a process framework for
specifying necessary security configuration, along
with a variance process, for concerns and
software of significance.
Security admin is complex and is done centrally.
As framework matures, it will be backed by
sensing and control agents on computers