Explaining Hardening To Novices

Using Hardening’s unique origin meaning to help attack IT’s largest risk.

The concept of Hardening and Hardness is borrowed from military and battle vocabulary.  A military target is said to be hard or soft depending on how well it is defended or fortified.  When you step into an IT Security role, it helps to think of your own servers or assets as potential targets to your enemies.  As a defender of these assets, it becomes important to harden these targets, to thwart your attacker.

In military terms, when hardening your bunker, your fort, or castle from military attack, it would be easy to make some incorrect choices arming, defending or fortifying your position.  To fend off these attacks, it would be very important to make the correct hardening choices.

In the IT world, when we harden a Cloud Server, these choices are just as important.  It is very easy to make bad choices, spending major time hardening minor risks. So analysis of your Cloud Servers is just as important as battlefield analysis of your fort’s battements.

Extending this metaphor, let’s imagine you’re in the market for a brand new fort or castle, and you visit the Battlement Expo 2020.  Bear with me, the metaphor works mostly. The Battlement Expo shows off the latest innovations in forts and castles, they showcase their functionality, their power and their usability of each product.  Wide open for your exploration.

Free Pike to the first 50 visitors to our booth at Battlement Expo 2020… 

Each product is showcased with full schematics, every secret, every design point, all of the doors, gates, drawbridges are open, the defensive features are open and unmanned, for study.  The moat subcontractor has a high lead time. Supply-chain and training of staff, as tasks, are listed as an asterisk in the spec-sheet, as well.

These Battlement Expo products are open, and showcased to sell its functionality.  They are not hardened for battle today, and will require more attention upon delivery.

Your Cloud Servers are also sold open and showcase their functionality as products to sell.

To get either battlement or cloud server ready for use, it will need to be hardened, its security features enabled, its open doors closed.  Without hardening, the enemy horde will march right in through the front door. Even products designed exclusively to repel the enemy horde, need to be hardened when employed for use.

This humorous metaphor works pretty well, but also breaks down in a few very important ways.   

First, imagine your Battlement had thousands of doors, gates and drawbridges more than any actual castle or fort would.  Cloud Servers have thousands of points of access, some obvious drawbridges, some inconsequential doors. And each access point has its own risks to manage, some open into the throne-room, some the stable-boy’s bedroom.   Cloud Servers offer thousands of functions and services to get things done, some you’ll use, some you’ll never even know about. These Cloud Servers, just like our new Battlements, are absolutely designed to repel the enemy horde.  They just need the final steps of hardening to be employed on the battlefield. And a good hardening policy will keep you in compliance with the royal family, er, managment and security teams.

Second, the Battlement Expo helped sell millions of copies of this battlement you’ve selected, this Cloud Server.  There is no need for the enemy horde to test attacks against your battlements, they have bought their own copy and can practice harde maneuvers on their own, in private, thousands of attacks, thousands of ways, preparing the way enemy hordes often do.  So, with millions of exact copies of your Cloud Server, you need to be better prepared than the enemy horde..

Third, the villagers and troops protected by your fortifications, can be easily brainwashed, replaced, and/or impersonated to attack from inside the fort/castle making some defenses irrelevant.  Cloud Servers are vulnerable to any number of disgruntled users, past and present. Sometimes the enemy horde has agents inside. Hardening helps close the unused gates and secrets the brainwashed will divulge.

As we complete our metaphor, we realize that the risk analysis process between Forts, Castles, and Cloud Servers, is actually very similar.  The actors, the motivations, and the preparation steps seem to align well.

In both Battlements and Cloud Servers, we have day-to-day functionality that needs to be preserved.  Securing a Cloud Server to the point where its functionality is broken, is a serious operational risk.  Security needs are always balanced against Operational needs with Cloud Servers. Keeping our royal family happy on all fronts is important.

We have costs in time and money to be preserved.  Securing a Cloud Server against your chosen security policy shouldn’t be expensive.  The risk analysis, and policy decisions may take time, but performing the hardening should be quick, easy and repeatable.

We have a risk assessment to be performed.  Some risks are obvious, some risks are hidden.  Some risks impinge on functionality, some not at all.  Some Risks take little time to mitigate, others take more time. Risk assessment includes an assessment of probability, assessment of bad actors, and an assessment of the price in functionality to harden.

We also have a confidence aspect to hardening.  Team confidence comes from deliberate planning, execution and documentation of a hardening policy.  Whole organizations decide future project complexity based on the fortifications you’ve already installed and how well they’ve worked.

Lastly, the degree of loss needs to be computed in the risk assessment.  Is it the thrownroom door, or the stable-boy’s bedroom? What would that mean to you?  What would attackers seek on your Cloud Server? Where are the royal jewels? Where is the armory for deeper attacks?

Hardening Cloud Servers involves a process where all of the doors, gates and drawbridges are closed, confirmed, and documented by stated policy.  Discovering vulnerabilities is a process of gathering community-borne solutions to holes in the defenses. Having millions of copies of your Cloud Server works both ways, others contribute in hopes of the same secure results.

Hardening Rules are combined into RuleSets, which sometimes use synonyms like standards, specifications or benchmarks.  These RuleSets are usually organized according to audience need.

For instance, the HIPAA RuleSet or Benchmark is specific to Healthcare systems.   PCI-DSS is a RuleSet that focuses on Internet eCommerce. So someone who sells Healthcare products/services online, might want to adhere to both HIPAA and PCI-DSS RuleSets to satisfy audit standards of compliance.

Compliance and Hardening usually involve the same discussions.  Compliance indicates are third-party auditing standard that organizations must comply with.  In reality, your security hardening policy is a definition of your compliance, that may or may not solely include auditing bodies.  It’s simply best-practice, to formalize your security policy, and execute according to that policy. Best practices use auditing bodies as a portion of your overall policy and strategy.

HardPrime, our All-In-One Cloud Security Scanner, Hardener, and Policy Document Generator, can help you iterate through this process.  It performs RuleSet hardening for 10 or more RuleSets, documenting as it goes. It also allows you ad hoc policy hardening where you can select where, when and how Rules are hardened according to your needs.  Its Text User Interfaces makes Rule Research, Rule Selection and Documentation Easy.  

HardPrime performs Scanning, Hardening, Verification and Documentation Automatically to speed your iterations over your policy.

New Cloud Servers are accessed by ssh terminal windows only, and HardPrime’s Text User Interface maximizes a terminal window to get the hardening job done, no matter how many iterations you may need.

HardPrime helps you preserve functionality and cost, by making the “round-trip” iteration effort of hardening a Cloud Server easy and short.  HardPrime eliminates the complex commands, flags and identifiers of other hardening solutions, and presents you with a Text User Interface to build your Hardening policy, execute the plan, and document your results.

Look for our booth at the next Battlement Expo near you, or just give HardPrime a try, using our 30 day free trial.

HardPrime gathers the latest intelligence for you, to battle your enemy horde in the arena of Cloud Server Security.