The security of an application environment should be well defined. In this video, you’ll learn about establishing, deploying, and maintaining security baselines.
When an application is deployed, we have to think about all of the security that is associated with using that app. That means there are security settings in operating systems on network devices and in practically every other component used by that application. And we have to make sure that we’re using the best practices for that security. For example, we might need to make certain firewall settings to make sure that that application is as secure as possible. We might want to include patch levels and make sure that our application is up to date. And of course, the underlying operating system also has to be secure.
Each time this application instance is deployed, we need to make sure that all of these security baselines are also deployed along with it. So we need to make sure that we constantly check that these security baselines are still in place and are still protecting the application instance. If we perform this check and find that there are parts of the application instance that are not following these security baselines, we need to put a plan together to correct those as soon as possible.
You’ll have to start with creating this set of security baselines. Fortunately, you don’t have to do this on your own. Many manufacturers have already created a foundational security baseline that you can modify and change to meet the needs of your organization. For example, you can contact the developer of the application, and they can provide you with a baseline that they’ve created.
This would probably involve permissions of files that are stored on the file system and configuration settings within the application itself. Or you can get information from the operating system manufacturer. So you can go to Microsoft and get information about their security baselines. And if you’re using any purpose-built appliances, those manufacturers may also be able to provide you with additional security settings.
When you start building that initial security baseline, it can almost be overwhelming. There are many different settings that may need to be configured. If you look at Microsoft Windows, within Windows 10, there are over 3,000 group policy settings alone. Fortunately, only a subset of those are used for security purposes. The Microsoft website includes a series of security baselines for Windows operating systems and Windows Server. And they even include tools that you can use to help deploy it. They refer to this as the Security Compliance Toolkit, or SCT.
You’ve now compiled this list of security settings that will be associated with the application, the operating system, and any other part of the application instance. Now it’s time to deploy those settings to all of those different components. Sometimes you can do this through a central console, like the Microsoft Security Compliance Toolkit. But other settings may require additional applications or additional processes. You might have to push things out through Active Directory group policy, or you might have a separate MDM that pushes out security settings to your mobile devices.
For security baselines that are as large and complex as these, you’ll want some type of automated process to make this easier. This would allow you to deploy these baselines very easily to hundreds or even thousands of different devices. Fortunately, many of these security baselines are best practices and would rarely change. So once you deploy them, your job is effectively done. But there will be times when you may need to update the security baseline.
Maybe there’s a new vulnerability that’s been discovered and it affects a certain application or certain operating system. Or maybe the application itself has been updated, and you’ll need to make changes to the configuration to keep that security baseline current. Or you may install a completely new operating system, and that will require a completely new set of security baselines. And there may be times when one manufacturer’s baseline conflicts with what another manufacturer would like to use. So you may have to look at both of those and determine which one is the better baseline for this particular application instance.
So you may find yourself testing these baselines prior to the deployment. And then, once they’re deployed, you may need to audit them to make sure that those baselines remain in effect.