Why audits aren't enough
Compliance and security management are interdependent. Compliance depends on security rules for enforcement. Security depends on clear compliance guidelines. Any lack of visibility to the enforcement of security policies as related to specific regulations can expose an organization to risk. With increased regulation, new business processes due to COVID, and reduced budgets, CIOs, compliance officers, system administrators and legal teams are seeking ways to work together to reduce risk.
Organizations routinely conduct audits to identify gaps as regulations increase, but audits are not the best way to discover issues. Audits create stress for all. Red Hat Insights for Red Hat Enterprise Linux (RHEL) simplifies the management of compliance and security. Insights helps organizations address compliance in a systematic fashion and reduce operational costs. Insights can help enforce a variety of cybersecurity policies, (including PCI-DSS, HIPAA, CIS, etc.) that your organization needs to meet.
Automating compliance delivers transparency
Transparency is one of the main challenges as organizations implement their policies and then work cross-functionally to ensure compliance.
How do they communicate exceptions, changes or customizations? One approach is to use the Security Content Automation Protocol (SCAP) for accurate reporting for each of the systems defined in the compliance policies. The National Institute of Standards and Technology (NIST) defines SCAP as “a suite of specifications for exchanging security automation content used to assess configuration compliance and to detect the presence of vulnerable versions of software.”
Let’s review these challenges in detail to understand them further.
Transparency is critical to any regulatory compliance program. Today, customers using OpenSCAP with RHEL on their own are expected to manage and ensure the SCAP Security Guide (SSG) version is correctly configured for the RHEL system it is deployed on. It is an arduous and manual task to ensure proper configuration. misconfiguration. In larger environments, this problem is amplified, leading to confusion.
Accurate reporting is another key aspect of a solid compliance program. Oftentimes the lack of transparency cited above can lead to inaccurate reporting. Inaccurate reporting can lead to security gaps due to misconfigurations and non-compliance. If the correct version of the SCAP Security Guide (SSG) is not deployed on the system then there can be a misrepresentation of compliance. Attention to detail and transparence is crucial to ensure adherence to the appropriate level of policy.
Insights: Another pair of eyes
The Compliance service within Red Hat Insights enables users to configure, monitor, remediate, and report on regulatory compliance policies that are pertinent to their organization via OpenSCAP.
Insights reflects the extensive Red Hat vendor knowledge and experience with the RHEL platform for which it was built. Red Hat Insights is an operational, business, security and compliance risk management solution that provides continuous, in-depth analysis of registered Red Hat Enterprise Linux systems. Some users have referred to Insights as "like having an extra pair of eyes."
The extra eyes are included in your RHEL subscription. The Compliance service works in synchronicity with other Insights services such as Advisor, Vulnerabilities and Patch to help organizations access and prioritize risk.
The Compliance service now provides “X-ray” vision into your policies and allows you to tailor them.
More detail on how to address compliance challenges can be found in a previous post “Managing the security of your Red Hat Enterprise Linux environment with Red hat Insights.” This post provides more detail on how the Insights Compliance service helps customers with managing regulatory compliance in large environments using OpenSCAP with RHEL.
Unsupported or mis-configured OpenSCAP
The Compliance service now enforces the supported versions of SSG used on your systems with OpenSCAP on RHEL. With this change, users will be able to determine which version of the SSG they are running on any system and see quickly if it is misconfigured.
Figure 1. Compliance reports highlights 4 systems running unsupported configs in this view
If a RHEL system is running any other version of the SSG file other than what’s been identified in Table 1.1 of the documentation
, results will still be calculated but they will be a “best-guess” effort and will be reported as “unsupported”; results for SSG versions not identified in the support matrix will not uploaded at all. The results of that particular system will be excluded from the overall policy’s compliance score.
Figure 2. Compliance now highlights unsupported configurations in the Policy Reports views
For accurate reporting, customers will need to have the correct, specified SSG versions deployed on the system per the specs in Table 1.1. Not only does this meet the transparency and accuracy needs but it helps to reduce operational costs for managing the compliance program. (See Figures 1, 2, and 3)
Figure 3. System reports pages provides a "best guess" result and highlights a misconfiguration
Compliance is a Journey
The functionality that’s defined within the compliance service of Insights continues to evolve with feature rich developments underway. We recognize that reporting, usability and integration to third party ticketing systems to further automate are crucial for customers to address compliance challenges. As the Red Hat team accompanies customers on their compliance journey we continue to simplify the tasks associated with compliance and face the challenges head-on with transparency and clarity.
Reporting, usability improvements, and integration to third party ticketing systems to further automate and make the workflows within your organization more seamless are on the roadmap.
Connecting is easier
Customers with a subscription to Red Hat Smart Management will also have access to push-button functionality available with the “Cloud Connector” within Red Hat Insights. The Cloud Connector provides a simpler way to connect and immediately take advantage of the recommendations in Red Hat Insights to remediate at scale across on-premise and cloud instances for RHEL. (See Figure 4)
Figure 4. Cloud Connector via Red Hat Insights.
Want more information?
We held a Red Hat Insights webinar about managing security and compliance risk recently that included a short demonstration of the Vulnerability and Compliance services as part of Red Hat Insights. You can watch its recording on-demand here. I encourage you to also check out the Red Hat Insights Ask Me Anything Webinar Library which includes access to webinars on other aspects of Insights.
Red Hat Insights is included as part of your RHEL subscription - find more information and get started today by visiting Red Hat Insights.