Ask yourself this question.
Most of the time when we talk to a potential client or partner about configuration management they immediately start to counter with “what they already have in place”. Usually they have an approach of trying to shore up what they already know are cyber security fundamental problems by buying more shiny new technology that will fix the issue. If they get “more” they eventually can fix the issue, is the thinking. It’s wrong but it’s the most common issue we have to address.
But what if we change that first response and instead get them to ask these two questions.
What about how I am approaching the problem is fundamentally different than the thousands of other organizations that have failed here? And is my approach and my technology more viable and more technically capable of limiting the risks that I know I will face?
Think of it this way.
What happens if we don’t deal with the most fundamental flaw in cyber security, how a system is deployed?
There’s a famous story about an auto mechanic talking about an engine repair that could have been avoided if the owner had replaced his oil filter.
The mechanic says:
“You can pay me now, or you can pay me later.”
Or there is the quote from the electrician who is looking over a scorched home’s still smoldering skeleton. The electrician says “I guess you never fixed that electrical issue, too late now.”
Neither of those individuals is particularly helpful but it’s easy to understand their logic.
Those quotes apply well to configuration management in the cyber arena.
Should you chose the path of ignorance and acceptance of the risks that poorly configured systems bring into infrastructures you will likely avoid the up front costs associated with configuration management, however you will likely pay in the future by:
- Manual effort (possibly months or years) to determine which system components should change when requirements change.
- Failed implementations because your project’s requirements changed, and you didn’t communicate the changes to all parties, which introduced more misconfigurations and added risk.
- Lost productivity by replacing system components with flawed new versions.
- Unexpected outages from incorrectly modifying system components.
Configuration management is included as a key systems engineering practice because it works! It keeps you from incurring costs preventatively and helps IT stop fire fighting. Moreover, good systems engineers have learned, through practical experience, that it pays for itself many times over. Configuration errors can open up security vulnerabilities, and they can introduce incompatibilities that result in service outages. Minimizing configuration errors can help to make IT staffs more efficient and reduce those outages.
Although configuration management is receiving more attention, it’s still not on par with many of the “hot,” bleeding-edge technologies. However, it is one of those basic workhorses that can have a significant positive effect in IT management. In any case, configuration management is a good place to start developing internal IT processes if you haven’t already.
By using automation combined with configuration management, it’s easier to build in checks and redundancies across your systems and infrastructure. Which helps to reduce the potential for omissions due to human error and the accuracy for keeping assets in the desired state.
Without automation as part of that configuration management approach, a single engineer forgetting to update a piece of software can leave a system with an outdated version of the software that is potentially vulnerable. That vulnerability could be exploited to spread computer viruses, launch exploits, or install ransomware on your systems our your customers systems if they are connected.
The lesson to learn is simple: Fix the problem now and minimize the future damage, or wait and suffer later! The intelligent approach suggests that to use configuration management helps you better focus on fire prevention, not fire fighting.