Hardening is usually the process of securing a system by reducing available attack vectors. In principle a single-function system is more secure than a multipurpose one. Reducing available attack vectors typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.
Security Configuration Management (SCM) is an automated, security-focused set of capabilities that makes system hardening: repeatable and enterprise scalable; continuous with real-time or periodic capabilities as needed; flexible and aligned with business needs, workflows and exceptions; self-correcting and self-remediating.
According to NIST, SCM is “the management and control of configurations for an information system with the goal of enabling security and managing risk.” Tripwire defines SCM as “the ability to create, edit, and manage IT security hardening policies in a way that fits real-world business processes and continually balances risk and productivity.”
On October 23, 2012, the Department of Business Innovation and Skills (BIS) of the GCHQ released their “10 Steps to Cyber Security” document where it listed configuration security as one of the most critical steps to achieving an objective measure of security.
In implementing and maintaining a secure configuration, one has to take steps to mitigate and eliminate configuration drift. Configuration drift is a data center environment term. At a high level, configuration drift happens when production or primary hardware and software infrastructure configurations “drift” or become different in some way from a recovery or secondary configuration or visa versa. Production or primary and recovery or secondary configurations are designed to be identical in certain aspects is order for business resumption should there be a disaster or major failure in production. When these infrastructure configurations drift from another, they leave a gap between them which commonly called a configuration gap.