Configuration Management

---

Configuration management is a systematic approach to ensuring that the desired state of an IT system is maintained throughout its lifecycle.

• involves identifying and documenting all the infrastructure and devices installed at a site
• implemented using the following elements:
  • Service assets
    • are things, processes, or people that contribute to the delivery of an IT service
    • Each asset must be identified by some sort of label
  • configuration item (CI)
    • an asset that requires specific management procedures for it to be used to deliver the service
    • defined by their attributes
  • configuration management system (CMS)
    • tools and databases that collect, store, manage, update, and present information about CIs
    • small network might capture this information in spreadsheets and diagrams
    • dedicated applications for enterprise CMSs

Configuration States

• Configuration states:
  • baseline
    • documents the approved or authorized state of a CI
    • allows auditing processes to detect unexpected or unauthorized change
    • can be a:
      • configuration baseline
        • e.g., ACL applied to a firewall
      • performance baseline
        • e.g., throughput achieved by the firewall
    • also called a golden configuration
  • product configuration
    • the state of a CI as used within a working network
    • might deviate temporarily or persistently from the baseline
    • deviation is often referred to as configuration drift
  • backup configuration
    • a copy of the production configuration made at a particular time
    • can also suffer from configuration drift
• Monitoring configurations requires production and backup states to be compared to the baseline
• when configuration has drifted, either:
  • revert it to the golden configuration
  • update the baseline template
• to prevent unexpected configuration drift
  • require effective change management procedures

Process

1. Full asset inventory
2. Codification of the baseline
   • formal action that includes all members of the configuration management board (CMB)
   • should be negotiated in terms of cost-benefit and risk analyses
3. Secure baseline build
   • a version of the baseline is constructed and stored
4. Deployment of new assets
   • when a new asset is acquired, the baseline is applied to it

Centralized Operating System, Application, and Device Management

• centralized configuration management
  • controls endpoint configuration
  • critical role in infrastructure as code, CI/CD, and DevOps
  • allows admin to define device configuration settings on a management server and then push settings to endpoints in an automated way
  • enables consistency and enforcement
    • enforced means the central management server will overwrite changes made to an endpoint
  • can provide near-real time visibility into configuration changes
    • enables continuous compliance monitoring
    • changes will generate an immediate alert
• tools:
  • Chef
  • Puppet
  • Ansible
  • Terraform