Device42 – Official Blog

Towards a Unified View of IT Infrastructure | The Official Device42 Blog

Articles

Implementing and Managing a CMDB: Security and Compliance Considerations

Implementing and Managing a CMDB: Security and Compliance Considerations

As the pace of business change accelerates, configuration management databases (CMDBs) are becoming more important. Next-generation CMDBs auto-discover all hardware, software, and virtualized assets across hybrid cloud infrastructures and trace dependencies between resources, applications, and the business processes they support. IT and security teams use these insights to plan network growth, optimize operations, improve IT service management, and so much more. However, CMDBs can also support compliance efforts. Regulatory teams can use data and processes to demonstrate how companies and systems meet a wide array of industry controls and other requirements. To accomplish these goals, CMDBs must be both secure and compliant. 

Understanding CMDB Security and Compliance 

So why are IT operations managers concerned about security and compliance in the context of CMDs? CMDBs should be secure by design: offering stringent access controls and layered security to protect valuable asset data. They also should deliver insights that enable better security, such as creating holistic, real-time visibility into all assets; revealing their configuration and change status; and providing data that enables firms to optimize key processes and to quickly address urgent concerns.  

Next-generation CMBDs help meet compliance requirements by providing granular data on all configuration items (CIs). They:

  • Offer a real-time view of all assets and their status, wherever they are located
  • Reveal dependencies, enabling enterprises to develop a risk-based view of their business processes 
  • Register and track all users and actions performed throughout device lifecycles
  • Provide on-demand reporting that can be used as an audit trail for all actions performed on devices
  • Deliver data that helps ensure compliance with internal audit, customer data protection requirements, and industry and government regulations. 
  • Can also ensure compliance with vendor software licensing requirements, if integrated with IT asset management solutions. 

CMDBs are commonly used to comply with the following controls and regulations:

  • The 18 CIS Critical Security Controls – The CIS Controls require that organizations inventory and control all assets, enhance data protection, enable secure configurations, enforce access controls, reduce vulnerabilities, log events, and improve incident management, among other objectives.

    CMDB data helps strengthen all of these processes by auto-discovering all assets, tracking changes and configurations, integrating with IT service management (ITSM) platforms, and providing a living record of all actions taken with devices.
  • Federal Information Processing Standard Publication 140-2 (FIPS 140-2) – FIPS 140-2 is a computer security standard developed by the U.S. government that is used to approve cryptographic modules. The standards cover how to securely design and implement these modules, including developing specifications; ports and interfaces; roles, services, and authentication; a finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility; self-tests; design assurance; and mitigation of other attacks.

    This is a major effort beyond the scope of a CMDB. However, modern CMDBs offer SSL certificate auto discovery, including cipher data. Customers can use the CMDB to audit their entire SSL certificate deployment for FIPS 140-2, providing evidence that these certificates are valid and up-to-date.
  • Federal Risk and Authorization Management Program (FedRAMP®) – FedRAMP is a federal program that enables cloud service providers (CSPs) to certify that their cloud service offerings (CSO) are secure, so that they can sell them to government agencies. Providers can choose to get authorized by the Joint Authorization Board or by an agency. The authorization path includes an optional, but recommended readiness assessment and a full security assessment. CSPs must determine the security categorization of data in their CSO as well as be able to answer questions about its functionality, system architecture, authorization boundary, data flows, security capabilities, and controls.

    CSPs can use CMDBs to provide information about devices, applications, and data flows as well as show that they maintain compliance with other relevant regulations.
  • General Data Protection Regulation (GDPR) – The GDPR imposes stringent controls over the use, processing, and storage of data of residents of the European Union and European Economic Area. Covered organizations must document why they are processing data, limit its collection, and implement privacy by design with all technology. In addition, data transferred out of covered areas is subject to key requirements.

    CMDBs provide a record of all devices, their location, and the applications and processes they support, making it easier to track and trace data flows and ensure compliance with this regulation.
  • Health Insurance Portability and Accountability Act (HIPAA) – Organizations that collect and use U.S. consumer healthcare data must comply with the HIPAA Privacy Rule, abiding by standards to protect certain health information, and the HIPAA Security Rule, standards that govern how this data is held or transferred in in electronic form.

    CMDBs help IT teams gain a complete picture of all resources and their current state, plan configurations and changes to improve their health, identify and mitigate risks, and provide an audit trail of all actions.
  • International Organization for Standardization (ISO) 27001 – According to the ISO website, “ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.” To comply with this regulation, companies must demonstrate that they have a system to manage data security risks and that it adheres to ISO best practices and standards.

    ISO 27001 requires that enterprises assign risk owners to every IT asset. CMDBs help IT teams accomplish this objective by auto-discovering all assets, enabling teams to assign and track risk owners across hybrid cloud infrastructures, providing detailed resource impact charts, mapping dependencies, and highlighting downstream impacts of service interruptions.
  • Payment Card Industry Data Security Standard (PCI DSS) – The PCI DSS provides technical requirements that credit and debit card payment processors must meet to ensure the compliance of their data security programs. Covered organizations must conduct a vulnerability and readiness assessment and meet 12 different requirements in six categories. They must build and maintain a secure network and system; protect cardholder data; maintain a vulnerability management program; implement strong access controls; monitor and test networks; and maintain an information security program.

    Modern CMDBs map application dependency affinity groups and business applications; discover all necessary and custom software, services, ports, and protocols; inventory all certificates and encryption keys; display asset vulnerability information; and discover all POI devices and wireless access points. In addition, CMDB data and reporting can be used to meet PCI requirements to document all processes in scope every 12 months or when major changes are made.

Read our blogs:

ITIL Change Management: Streamlining Processes to Ensure Successful Change Implementation

Device42 Can Help You Audit Certificates for FIPS-140-2 Compliance

Do a deeper dive on ISO compliance:

ISO 27001 Compliance

Common Security Risks with CMDBs

To improve enterprise security and compliance, CMDBs must have trustworthy data. Here are some common security risks that could harm the ability of CMDBs to serve as the single source of truth on configuration item (CI) data.

  1. Risk #1: CMDBs have insufficient controls: CMDBs provide incredibly valuable insights about enterprise assets: where they’re located, what applications they support, and how they are maintained. Attackers that gain access to this data can exploit it by looking for weak points in network defenses. As a result, CMDBs should enforce security best practices such as least privilege granted, role-based access controls, and data encryption. Security teams should also be on the alert for anomalous behavior which could indicate unauthorized access or unapproved actions.
  2. Risk #2: CMDBs may have inaccurate or incomplete data: If CMDBs have incomplete or inaccurate data due to manual processes or poor maintenance, IT teams may make decisions that erode enterprise security over time. This can include not identifying and maintaining all devices, such as shadow or zombie resources. Or it may mean failing to retire end-of-life devices proactively, which lose support and become significant security risks. 
  3. Risk #3: Enterprises don’t have a standardized change management function: If IT teams don’t use codified processes, such as ITIL 4 to plan, communicate, and manage changes and configurations, they will quickly become disjointed. It’s likely that devices will go unconfigured or misconfigured and that needed changes won’t occur. Ad hoc change processes will increase IT complexity, introduce chaos into service management processes, and create growing gaps and vulnerabilities.
  4. Risk #4: Patches aren’t consistently applied. CMDBs may provide detailed insights into device status, but if teams don’t consistently apply patches, vulnerabilities will occur. There are more than 900 currently known exploited vulnerabilities that are published on the Cybersecurity and Infrastructure Agency website, and the list is updated all the time. Despite this reality, less than half (47%) of organizations apply patches immediately, while 28% do so monthly or less frequently.

Nearly 1 in 2: Some 42% of data breaches were caused by a known but unpatched software vulnerability, meaning that they could have been entirely avoided. Source: Ponemon Institute/IBM

  1. Risk #5: APIs aren’t proactively managed: Enterprises have thousands of application programming interfaces (APIs) which share data across applications internally and externally with partners. Yet, surprisingly these important tools are often not proactively managed, despite the evident risk they create. Hackers prefer to leverage easy entry points to the network, which is why API risks are growing. Gartner predicts that APIs will be the top attack vector in 2023 and that by 2025, more than half of all data thefts from enterprise web applications will be due to unsecure APIs.

    Examples of API data breaches include T-Mobile’s loss of 37 million customer records due to a single unsecured API. Similarly, a Twitter hack resulted in the loss of personal data on 235 million users; LinkedIn, records on 700 million users; Facebook, information from 530 million users; and the list goes on. What makes API threats so deadly is that they transmit data at scale. So, instead of gaining access to a single database or application, hackers can often access sensitive data on most or all of a company’s customer or user base.
  2. Risk #6: Not integrating with other tools: CMDBs are made to share data with other tools, such as IT asset management (ITAM), data center infrastructure management (DCIM), and IT service management platforms (ITSM). By failing to integrate their CMDBs with other enterprise tools, IT teams lose the opportunity to use CI data to identify and remediate issues and continuously improve processes. These risks can include software licensing violations, device performance issues, and disabling outages.

“Through 2024, 99% of organizations using CMDB tooling that do not confront configuration item (CI) data quality gaps will experience visible business disruptions.” Source: Gartner.

Read:

ITIL Change Management: Streamlining Processes to Ensure Successful Change Implementation

Best Practices for Securing a CMDB

The good news is that it’s comparably straightforward to secure a CMDB. Here are some tips to securely deploy and use Device42, a modern CMDB

  1. Change all default credentials: CMDBs come with default credentials that need to be immediately changed upon deployment. For Device42, that means changing system console user credentials, web GUI admin users, and appliance manager credentials.
  2. Practice good password hygiene: All users should create cryptographically strong passphrases, using letters, capitalization, numbers, and symbols to make them more difficult to guess.

    In addition, Device42 provides a built-in password vault, where all secrets are protected with AES-256 bit encryption. We also recommend using “burnt secrets” whenever possible. This means storing passwords and designating them as unretrievable. 

    We further advise creating custom groups to limit the number of users who can view secrets. Passwords can also have individual permissions set to further restrict who can view, edit, or use them.
  3. Restrict access to the CMDB: Like other solutions, IT teams should use role-based access controls (RBAC) and apply the concept of least-privilege granted, ensuring that only authorized users can access the CMDB and can only view and use the data and features they’ve been enabled to use. They should also limit the number of super users who can access everything and review and update these credentials frequently.

As an example, this might mean creating dedicated users who can access API data, but have read-only capabilities. Or they may be able to interact with APIs, but can’t log in via the GUI.

  1. Obfustacate access to the appliance: CMDBs should always be deployed on private networks, where they are not viewable or accessible to outside users. IT teams can further obfuscate the main appliance by configuring a proxy for any outbound HTTP/HTTPS connections. The Device42 main appliance will still be able to connect to other SaaS solutions via its cloud connector.
  2. Consider making other security improvements: Device42 provides a host of other strategies to improve CMDB security, such as disabling older TLS versions and HTTP access, importing an HTTP certificate, setting timeouts for user inactivity, setting up multi-factor authentication, and more. 

Key CMDB Regulatory Compliance Considerations

CMDBs can be used to help meet data privacy, security, and other requirements that vary based on industry and location. CMDB data can be leveraged by other platforms, such as governance, risk, and compliance (GRC) and workflow tools. While requirements vary, CMDBs auto-discover assets in the environment, map dependencies, and provide audit logs for all changes can help organizations meet compliance requirements.

Further, Device42 provides ITAM capabilities that enable IT teams to manage license agreements to keep them current, ensure all purchased software is installed, manage usage to license counts, and prevent prohibited software from being used. By doing so, enterprises ensure compliance with vendor licensing requirements, while driving ROI on their spending. 

Benefits of a Secure and Compliant CMDB

CMDBs deliver their full value when they are implemented correctly, maintained effectively to create a true view of enterprise assets, and used to accomplish business objectives.

In addition to improving asset security and regulatory compliance, CMDBs can be used to improve operational efficiency, reduce costs, and improve risk management. The blogs linked provide extensive information on how to accomplish these goals. 

Do a deep dive: 

Maximize Data Center Energy Efficiency By Calculating and Improving Power Usage Effectiveness (PUE)

How to Make Your Data Center More Energy-Efficient

How data centers can use renewable energy to increase sustainability and reduce costs

How to Improve Your IT Incident Management Processes

How to Improve Incident Management and Minimize Business Risk

Choosing the Right CMDB 

So, how do you know how to choose a CMDB solution? As your IT teams supports more devices and combats network sprawl, you can look for a CMDB that:

  • Offers both agentless and agent-based discovery: IT teams will typically use CMDB’s agentless discovery capability to scan networks and discover all CIs without harming application performance. However, there are times when they’ll need agent-based discovery, such as to inventory devices that aren’t reachable from the network or have business rules preventing traffic flow to improve their security. 

Why compromise when you can get both in the same tool? Device42 provides both agentless and agent-based discovery, enabling enterprises to inventory all of their resources across their hybrid/multi-cloud infrastructure. IT teams can use this information to plan cloud migrations and optimize device lifecycle processes.

  • Provide integrated dependency mapping: Leading CMDBs should offer integrated dependency mapping, so that it is easy and seamless to visualize resources and the applications they support.

    Device42 provides an automatically generated, centralized repository of application, service and device relationships and dependencies whether running on premises on physical machines, on virtual machines, or in the cloud. IT teams can use this information to identify and troubleshoot performance bottlenecks and improve service quality.
  • Can be extended with other capabilities: Today, vendors are providing integrated solutions, which streamline tool deployment and use. Device42 offers a solution that can be extended to provide CMDB, ITAM, DCIM, IP asset management (IPAM), and SSL certificate management capabilities, significantly strengthening infrastructure management capabilities.
  • Integrate with leading SaaS providers: IT teams want to integrate their CMDB with other best-of-breed solutions, such as IT infrastructure management, password, and service management solutions. Device42 integrates with 30 other tools, such as Ansible, FreshService, ServiceNow, VMWare, and Zendesk. 

Why It’s Important to Commit to CMDB Training 

The process of educating and training your team on how to manage your CMDB never stops. You’ll want to work with your chosen vendor to:

  • Implement the solution: You’ll test and deploy your solution and decide whether to use the CIs provided out-of-the-box or customize them to your needs. You’ll want to train your team on the new solution: how to work with CIs, auto-discover assets, map dependencies, and interpret visualizations. Gaining high adoption of the solution early on is essential to making sure new processes stick.

    Device42 provides a live weekly demo of our CMDB solution, videos to get started, best practices, integration scripts, and a powerful wiki called The Hitchhikers Guide to Device42. We also offer on-demand support to ensure that customers can ramp up and gain rapid value from their new solution.
  • Train new team members: You’ll want to train new hires on your Device42 CMDB and key processes. We recommend inviting them to one of our demos and then training them on your internal processes. 
  • Staying up-to-date on new features: Device42 is continually updating its solution to offer new features and functionality. You can review all of our features and download the latest solution here.

Get Started with a Modern CMDB Today 

CMDBs have sometimes gotten a bad rap because teams viewed maintaining them as an onerous duty on top of their other management responsibilities.

Fortunately, solutions have evolved to automate most processes, minimizing team effort with data input and maintenance. In return, secure, compliant CMDBs provide a wealth of insight that can transform infrastructure management and regulatory compliance, bringing clarity and control to these important processes. 

Learn more about Device42

Share this post

Rock Johnston
About the author