Your device baselines are a critical part in your cybersecurity. While many baseline configuration management implementations are done to appease regulatory and compliance requirements, the true benefit is to your security. Our baseline configuration management maturity model reviews the maturity levels (0-3) of a BCM implementation. As you achieve higher levels of BCM maturity, you can see how it is a critical piece for maintaining your cybersecurity.
In addition to our BCM maturity model, we also reviewed the baseline configuration best practices that you should be considering during your implementation, going hand-in-hand with today’s review of BCM maturity levels.
What is a Baseline Configuration Management Maturity Model
A Baseline Configuration Management Maturity Model is a model detailing the design implementation and features of BCM in your environment, ranked from levels 0 – 3. As you ascend in maturity levels, your security is enhanced, and the sophistication of your implementation rises with it.
A mature baseline configuration management implementation enhances your security by raising your awareness of your device baselines. This combats problems related to device drift, intentional or unintentional configuration changes that leave you vulnerable, like a port being opened and more. This monitoring is performed after a user has completed their session to said device.
Achieving the highest level in the baseline configuration management maturity model will take you beyond even the needs required by regulatory or compliance standards. With a truly mature BCM implementation, you will have a core piece of your Zero Trust security architecture implemented and working to ensure you are safe from threats.
Baseline Configuration Management Maturity Model Stages
BCM Maturity Level 0:
At level zero, you are simply installing and configuring your endpoints without verifying or checking later if those devices have changed in any significant way. You are not sure what your devices looked like when they were first installed and cannot discern when they have changed from that baseline in a way that could disrupt operations or leave you vulnerable to security threats.
BCM Maturity Level 1:
At level one in the baseline configuration management maturity model, though it is rudimentary, you are starting the process of monitoring your baselines. Here you are recording endpoint baselines manually, and also hand checking device configurations against your baselines manually.
While this gives you insights into your fleet, you have a new challenge: large fleets of devices can take months or even a year to manually check. This is a problem for your security, as well as your compliance and regulatory needs.
If an endpoint configuration has changed in a way that can result in vulnerability or failure, you do not want to wait months or a year to learn this. Even more, because verification is done manually, it is prone to human error.
Configurations may not be properly recorded or verified against their baselines. If something is missed, you’ll need to wait until that device’s baseline is checked again, meaning another long interval that you are at risk.
BCM Maturity Level 2:
Level 2 in the BCM maturity model addresses your manual challenges seen at level 1. You have systems in place to automate your baseline management process. You have eliminated those man hours related to checking your fleet and increased your security. If a device baseline changes now, you will know much sooner.
Here you’re also easily meeting the required intervals dictated by compliance or regulatory needs. What is missing at this level is a proper beyond Zero Trust-level implementation of BCM, which treats even your devices as untrusted.
BCM Maturity Level 3:
At full maturity, you have taken your automation further. Not only are your baselines checked automatically, but they are checked every time a session terminates. Your BCM has become a true part of your cybersecurity mix that keeps you secure by alerting you immediately to baseline changes across your devices.
In a Zero Trust environment, this can be used in conjunction with recording of user sessions to understand exactly what happened and when. If a file or port has changed, you will know now rather than at the determined intervals required by compliance and regulatory needs. From here you can determine your appropriate actions of needing to take the machine out of the network or switching its settings back to its baseline.
Your Path to Achieving BCM Maturity
While we reviewed BCM today, it is important to remember that a fully mature cybersecurity architecture involves many pieces. We recommend visiting our Password Management, Secure Remote Access and Zero Trust maturity models as well, which elucidate the features and design needs to attain higher maturity levels across other areas of your cybersecurity.
Should you need any help or have questions about attaining higher levels of maturity, or want to go beyond Zero Trust security in your environment, you can always reach out and talk to us here.
