Back in February of 2011, I wrote an article called “Disruptive Tech Drives Need for Configuration Management”. The article referenced something called “light cubes” which I had read about in a Yahoo! News article titled “Wireless advances could mean no more cell towers”. At the time, internet of things — IoT — wasn’t even a term. The concept of connecting billions of toasters, thermostats, porta-potties, Webcams and glucose meters to the internet was probably laughable. “Light cubes” were described as small Rubik’s cube sized cubes mounted on street lamps or other non-invasive structures. The thought was that they could become a possible replacement for cellular towers. If widely adopted, I envisioned additional major challenges for the IT industry. A poor track record of implementing Configuration Management solutions that don’t generally factor in security is not ready for billions of additional configuration items (CIs). IT departments need to greatly increase their maturity with regard to Configuration Management & CMDB to accommodate IoT devices.
The October 2016 Dyn DDOS attack that brought down a large part of the Internet reminded me of my 2011 “light cubes” article. Dyn’s research led them to believe it was executed through an estimated 100,000 IoT devices infected with malware called “botnet”. The Dyn attack is believed to be twice as powerful as any previous attack. I already had concerns in 2011 with the absence and/or weakness of Configuration Management solutions in organizations. My concern at the time didn’t even include the security implications. Since then, I have promoted Configuration Management as part of cyber security solutions. The methodology used for Dyn DDOS attack reinforces my belief for this need. No longer should we see Configuration Management weakness as only impacting daily operations. Securing the enterprise of the future should now also evaluate Configuration Management as a fundamental component of the solution.
Configuration Management, in its broadest sense, helps ensure that the environment reflects the designs and standards set out by architecture and operations. The CMDB must demonstrate the relationships between and settings of devices are as they should be. This is no different than what specialized security teams work on independent of IT operations. This is more costly and grossly ineffective and security vulnerabilities are more likely.
An ever increasing cyber risk level combined with no expectation of significant IT budget increases does not bode well for enterprises if they continue on the same track. Organizations must become more efficient in their operations. Reducing the amount of duplicate effort helps cut costs and improve IT hardening. A comprehensive Configuration Management solution integrated with established security practices can be part of that. The danger is that most organizations aren’t looking at it that way. That must change if corporations plan to maintain customer privacy and protect their intellectual property.