November 15, 2022
Best practices help prevent common repeatable mistakes. They are agreed upon courses of action, a standard or guideline that is known to produce a good or best outcome. Deviations from best practices can easily lead to big problems, especially in the cybersecurity industry. And deviations can happen easier than you think, whether that be through a change in the best practice itself, or through configuration drift.
As technologies evolve and grow over time, so must the best practices covering them. In the same way that we no longer use moats for home security, we need to ensure that our digital security is up to date and ready for the latest challenges.
And it’s not just the evolution of our technologies that can lead to change, but configurations can (and usually will) drift over time, taking them away from their original or ideal state. Continuously monitoring updated requirements for best practices – along with the configurations of all the technologies in your stack – is a time consuming process and, arguably, no longer humanly possible.
Many companies do not have the luxury of a dedicated best practice compliance function or department, and even those that may do not have the time to keep up with the ever-changing security landscape manually. So there are three possible routes to choose with best practices and compliance. (Of course there is a dastardly fourth, but if you’re here then we know that you’re a professional, who won’t entertain the idea of choosing to operate in a non-compliant state.)
Best practices can be divided in a number of ways, including broad vendor neutral compliance frameworks such as those supplied by the Center for Internet Security, or CIS. They maintain a vast library of what they call Benchmarks, which assess against established best practices. These best practices are developed by industry experts in order to serve and secure a wide range of technologies and systems. Their library is vendor neutral in the sense that, while they have benchmarks for numerous technologies, vendors and devices, they are not affiliated with those vendors, so their standards can remain impartial.
CIS provide useful benchmarks and best practices for hundreds of pieces of hardware, software and even items such as multi-function printers (MFPs). An issue with a choice as large as this is to ensure that your teams select the right benchmarks and continuously monitor them for updates.
For some technologies it may be advantageous to use the manufacturer's specific guidelines. These are most easily found in user guides, release notes, deployment documentation, FAQs and more. These resources can tell you how the vendor intended or expected their product to work, and how it may best work for you.
While a vendor's best practices can be useful, they are not always applicable to every use case. You may find your teams have extra considerations or additional pieces of technology which the original vendor did not anticipate. In our experience, this can lead people down rabbit holes of unverified information as they attempt to cobble a solution together from many disparate sources of information.
Another solution is to use a platform which provides you with automatic best practice audits specifically tailored to your needs – to remove the time pressure of keeping up to date with the latest and most applicable best practices for your systems.
It is now humanly impossible to monitor and apply the information from all the trusted sources. IT teams do not have the time or resources to proactively and manually keep their IT infrastructure aligned to best practices.
A best practice compliance platform automates the leg work of scanning infrastructure, comparing it to best practices compliance guidelines and frameworks and gives you and your teams actionable insights. A good best practice compliance platform should monitor all of your platforms and protect through all of your working processes, from the beginning of the development cycle to the logs generated from your longest serving servers and applications.
The Runecast platform offers best practices analysis for your systems – on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Kubernetes (K8s), VMware, Windows, Linux and more. Our Runecast AI Knowledge Automation (RAIKA) and patented rules engine within the Runecast platform ensure that all best practices are kept up to date automatically, so that whole teams don’t have to do it manually.
Within the platform, customisable filters and reports ensure that you are seeing only what is applicable to your situation. Don’t have a K8s cluster? Then Runecast won’t waste your time by reporting on it. All the best practices are categorised based on their Severity (Critical, Major, Medium, Low), Infrastructure Layer (Compute, Network, Storage, Management) and Design Quality (Availability, Manageability, Performance, Security, Recoverability) – so you can easily determine the highest priorities for your teams.
Runecast easily displays Best Practice adoption on the main dashboard, as shown in the screenshot below – to enable your teams to see, at a glance, how far they are from adhering to the best practices or passing an audit.
Runecast enables you to see the best of best practices. Our platform presents your data demystified and then compares it to the best practices you select. Because our platform uses AI to keep up to date on any changes to best practices, and uses Config Vault to track any changes to your configuration, you can be confident that your configurations match up to best practices and you can be audit ready at a moment’s notice.