Red Hat blog
Depending on how deeply you deal with sensitive computing requirements and IT systems security, the phrase “STIG” either means:
- A Security Technology Implementation Guide, which provides a standard configuration for a given product, like an operating system, to enhance the security posture of related systems; or
- A steam-injected gas turbine; or
- The various incarnations of the helmeted, silent driver on Top Gear.
If the first definition resonated, then this new blog series is for you. STIGs, a concept originally designed for the US Department of Defense, are increasingly seen as a critical security guide for security-conscious computing in a variety of places across the public and private sectors, especially in regulated industries or sensitive environments like energy and banking. While STIGs are incredibly important, cybersecurity is built around an ecosystem, good risk management practices and conscientious cyber hygiene, not a single implementation standard.
STIGs, as a framework for platform hardening, provide incredibly useful guidance for helping to attain the often required approvals to place systems in production, also known to some as an “Authority to Operate” (ATO). They do not, however, address all of an organization’s IT security needs for their environments, Even before a systems hit production, organizations need to consider:
- How to handle vulnerabilities when they inevitably appear
- What needs to be done to extend or expand the role or footprint of a given system
- How to stay ahead of emerging threats
- What modernizing operations may look like and how it can be done
For nearly two decades, Red Hat has been helping both public and private entities adapt to changing IT security requirements and concerns, by both achieving a wide-range of security validations for our products in global markets and by providing actionable information for organizations to improve their system security footprint.
This series will examine how STIGs are used, how IT security postures incorporate and extend beyond STIGs, and what other aspects of cybersecurity CIOs and other leaders need to consider and address. Topics will include:
- Why industry leadership in security matters and what this leadership looks like in practice
- Hardening of Linux and layered technologies, like Kubernetes, and why there’s more to code hardening than just fixing bugs
- The practical implementation of security controls across systems
- Removing uncertainty and easing implementation burdens when improving IT security postures
- What it takes to manage risks inherent to software supply chains
- Extending security capabilities across (and with) an ecosystem of partners
- Holistically managing an evolving threat and vulnerability landscape
Looking ahead, our next post will tackle the concept of “hardening”—what it means in practice and why it matters to modern IT deployments, even those that may also use specific STIGs. We look forward to sharing more with you in the future!
About the author
Tara is a security compliance and risk management enthusiast, working across the organization and with partners to identify and control security risk. Tara joined Red Hat and the private sector in February 2020, after gaining experience as a 10-year federal civilian employee, most recently serving as the Cybersecurity Director and Command Information Security Officer (CISO) for Naval Facilities and Engineering Command (NAVFAC) in Washington, D.C. She has earned academic degrees from the U.S. Naval Academy and the National Defense University. Tara currently resides in Colorado with her husband and daughter where they enjoy their mini farm with dogs, chickens and dwarf goats.