What is security drift?
Security drift is when your environments drift or move away from established security baselines or industry standards. This includes infrastructure, configuration, development, staging, and production environments.
Security misconfigurations rank fifth on the OWASP list of the top 10 web application security risks.
What causes security drift?
Generally, administrative users making changes to a system leads to security drift, which may also go unidentified. Software patches, intended to fix bugs and resolve other issues, can also introduce configuration changes unbeknownst to the user.
Some other reasons for security drift include:
- Hardware upgrades: Scaling a startup or otherwise growing a business requires IT infrastructure changes. Whether adding servers or moving from on-premise to the cloud, any hardware upgrade can cause configuration changes at both the hardware and software levels.
- Ad-hoc configurations and troubleshooting: On any given business day, there are tens or even hundreds of events that require quick fixes to networks, operating systems, and applications to keep the business running. In the process, these fixes can also introduce configuration changes that cause security drift.
- Unauthorized changes: Be it an employee who downloads an unauthorized application to their laptop or an IT administrator who finds a quick fix but doesn’t go through the proper channels for approvals, any unauthorized change can compromise the availability, performance, or security of your systems. If not addressed, it can lead to security drift as others stop using proper approval channels.
- Lack of communication between teams: Security drift can also occur when one IT team makes a change but doesn’t inform others or the company about it, or when team members don’t know what configuration states for a staging or production environment are standard and approved.
- Poor documentation: Keeping track of configuration changes can be a pain. We get it. However, if changes aren’t properly documented, team members may be unable to determine whether systems are correctly configured. This can lead to security drift.
What are the risks linked to security drift?
Security drift, however minor, increases the risk of the following:
- Network breaches: An improper configuration change or an unknown configuration change from a patch can allow an outsider to gain access to a private network, leading to data theft, activity surveillance, and malware or virus infections.
- Data breaches: Security drift increases the risk of data being stolen or corrupted, potentially resulting in steep financial losses and reputation damage.
- Downtime: DDoS attacks, malware, or a virus can enter through a misconfigured network or web server, stopping company production and employee productivity. A slowdown or complete halt of company business can lead to lost revenue as customers turn elsewhere.
- Poor performance: Configuration changes can impede the performance of systems and applications, even if they don’t cause complete downtime.
- Compliance issues: ISO 27001, PCI DSS, HIPAA, and GDPR are just some examples of strict regulations related to data security. Security drift can lead to non-compliance, which can mean hefty fines.
Ways to manage security drift
While the National Institute of Standards and Technology (NIST) has NIST Special Publication 800-128 to guide you about avoiding configuration drift specifically, they also apply to security drift. Some of the more significant takeaways include:
Implement continuous monitoring and regular audits
Weekly security reviews of your systems leave plenty of time for a misconfiguration to cause a data breach, downtime, or a compliance violation. Continuous monitoring ensures the identification of any improper modifications immediately to correct them.
When performing regular audits, include any new devices added to the network, like new laptops or personal devices for new employees, as well as any ad-hoc changes made to systems and applications. During the next audit, any changes and necessary updates will be clear.
As humans, we’re prone to miss things, so manual configuration reviews mean missing something. Also, it takes longer if only humans conduct reviews.
To avoid human error in reviews, consider a configuration management tool that automates the process of finding configuration gaps. At the very least, the tool should scan all network devices and applications, spot any configuration changes, and notify the security team.
For more advanced automation, consider tools that can revert changes and restore a known, good configuration.
Create and use a repository of benchmarks and baselines
Establishing benchmarks and baselines is good business; having them for configurations saves time and avoids confusion. Your teams can quickly determine whether security drift has occurred and restore your systems to their intended state.
Industry leaders like the Center for Internet Security (CIS) or NIST are good places to start building your baselines. If you are using configuration management tools, check if there are templates you can use so you don’t have to start from scratch or feel overwhelmed.
Remember to review and update benchmarks and baselines, especially when changes to your IT environment or applicable regulatory mandates exist.
Make it part of change management
Change management isn’t just a buzzword; it’s an essential aspect of tracking, analysis, and communication within any company. Documentation is critical, and the same holds for IT. Controlling and documenting configuration changes as they happen helps prevent security drift and associated risks. Communicating those changes ensures everyone remains on the same page.