Lepide Blog: A Guide to IT Security, Compliance and IT Operations

IT Auditing and Configuration Drift

IT-Auditing-and-Configuration-Drift

Configuration drift is a naturally occurring phenomenon whereby configuration items (CIs), such as computers or devices on an organisation’s network, drift towards an inconsistent state. This problem occurs on both private and cloud-based networks. While there are a number of causes of configuration drift, it’s essentially the result of conflicting changes made to device’s, software, services and configuration files, which are not systematically monitored by the IT department. It is quite common for configuration drift to occur. For example, speak to any software developer and they will tell you how frustrating it is when they make changes in one part of their code, only to find out at a later date, the change has broken the functionality of the code elsewhere in the application.

The consequences of configuration drift may vary significantly, ranging from being a minor nuisance, or result in a serious system failure. Configuration drift is especially common amongst development teams which use process frameworks such as Agile. Under Agile, colleagues often work on the same application at the same time – each using their own configuration file. Auditing configuration drift isn’t quite as simple as monitoring system changes and events. Admins must be able to identify which files, folders and directories are likely to be involved in creating a drift.

Windows PowerShell is a framework for assisting with task automation and configuration management. PowerShell includes a feature called Desired State Configuration (DSC), which allows administrators to define and manage configuration settings across network devices via the PowerShell scripting language. DSC can be very helpful in preventing configuration drift. DSC uses a declarative scripting technique, which allows the admin/developer to write expressions which determine how the system should be configured, and informs the system about what it must do to reach the desired configuration state. For example, a typical script might issue a request for a specific number of machines, with a specific operating system and/or software package installed, where a specific set of files are present. When the configuration agent receives the script, it will perform the actions necessary to bring the system state into alignment with the desired state. It should be noted that DSC is not really suited for individual computers performing a multitude of tasks, but a large cluster of machines performing related tasks.

In addition to using Windows PowerShell for automating configuration maintenance, there are open-source tools such as Puppet and commercial tools such as Chef, which can help you avoid configuration drift in a similar manner. Alternatively, you could just manually rebuild machine instances on a regular basis in order to prevent them from drifting too far from the baseline configuration. The advantage of using automated configuration management tools is that the system will be out of alignment for a shorter period of time, as they operate in real-time. Finally, while advanced auditing solutions such as Lepide Data Security Platform are not specifically designed to prevent configuration drift, they still provide a valuable set of tools to help you keep track of important system changes, which include any changes made to configuration files. Ultimately, it would be a good idea to use all three methods. Use automated configuration when appropriate, rebuild certain machines periodically or on demand, and closely monitor and alert on important configuration changes on your system.