OPS.1.1.7 System Management
Reliable system management is a fundamental prerequisite for the secure and efficient operation of modern networked systems. For this purpose, a system management solution must comprehensively integrate all relevant systems.
Description
Introduction
Reliable system management is a fundamental prerequisite for the secure and efficient operation of modern networked systems. For this purpose, a system management solution must comprehensively integrate all relevant systems. Furthermore, appropriate measures must be implemented to protect the system management communication and infrastructure.
System management encompasses many important functions such as system monitoring, configuration of systems, event handling, and logging. Another important function is reporting, which can also be set up as a common platform for IT systems and network components. Alternatively, it can be implemented as a dedicated uniform platform or as part of the individual system management components.
The system management solution consists of various system management components, for example agents that are operated on an underlying system management infrastructure. This solution is used to control the integrated and managed systems via the corresponding interfaces of the information domain. The combination of the solution, the underlying infrastructure, the managed systems, and the operation forms the totality of system management.
Objective
The objective of this building block is to establish information security as an integral part of system management. The building block describes on the one hand how system management can be set up and secured, and on the other hand how the associated communication can be protected.
Scope and Modeling
The building block OPS.1.1.7 System Management is to be applied to the system management solution used in the information domain.
In order to create an IT-Grundschutz model for a specific information domain, all building blocks must generally be considered in their entirety. As a rule, several building blocks are to be applied to the topic or target object.
This building block addresses, for example:
- The necessary system management components,
- The conceptual tasks for system management,
- Logging from the perspective of system management, as well as
- The updating of the system management solution.
The following content is also relevant and is addressed elsewhere:
- Requirements for network management (see NET.1.2 Network Management)
- Details regarding the securing of the underlying infrastructure and of managed IT systems, in particular their management interfaces (see SYS.2 IT Systems)
- Logging and archiving concepts (see OPS.1.1.5 Logging, OPS.1.2.2 Archiving)
- Updates e.g. through additional software, so-called agents (see OPS.1.1.3 Patch and Change Management)
- User access to the system management solution (see ORP.4 Identity and Access Management, as well as OPS.1.2.5 Remote Maintenance and OPS.1.1.2 Proper IT Administration).
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.1.7 System Management.
Unauthorized Access to the System Management Solution
Due to its central position and the necessary access rights to all managed systems, system management is a primary target for attacks.
If attackers succeed in accessing system management solutions — for example through unpatched security vulnerabilities — they can control and reconfigure all systems managed by the system management solution. They can, for example, access protected information or disrupt services or managed systems. For example, a company could centrally provide configuration servers for a system management solution. In this example, via an unpatched vulnerability, the configuration files are modified such that the managed systems install ransomware. As a result, in this example all systems managed by this system management solution are encrypted.
Errors in Automation Functions for System Management
All protection objectives of the managed information systems can be impaired by incorrectly automated processes.
Errors in one or more automation functions, such as scripts, can cause the managed systems to become non-functional or compromised. Due to the automated processes, a large number of IT systems can quickly be compromised. Even particularly critical IT systems can be quickly compromised in this way.
Unauthorized Interventions in System Management Communication
Accidental interventions in or targeted attacks on system management communication can violate the integrity of the managed IT systems and restrict the availability of services or IT systems.
If system management communication is intercepted and manipulated, active systems can be controlled in this way. Furthermore, data transmitted to and from the systems can be recorded and viewed.
Insufficient Time Synchronization of System Management Components
Errors in time synchronization can conceal problems and events, making it more difficult to detect security incidents and data exfiltration, for example.
If the system time of the system management components is insufficiently synchronized, protocols that use timestamps to evaluate the validity of communications — among other things — can be disrupted by different system times on the system management components and the managed systems.
Additionally, the log data for system management may not be correlatable with each other. Correlation can also lead to incorrect findings if timestamps appear to match or differ only due to faulty synchronization.
Incompatibility Between Managed Systems and the System Management Solution
An only partially compatible system management solution can trigger malfunctions of the managed IT systems and restrict their availability.
If the system management solution does not fully support the managed IT systems, certain actions cannot be performed as planned. This threat can also occur when systems are updated in which the management interfaces are changed.
Connection Loss Between Users and System Management Solution
Connection interruptions can restrict the availability of the system management solution.
If the connection between administrators and the system management solution is disrupted, IT systems can fail. Furthermore, error resolution and management of IT systems can be made more difficult.
If a connection is interrupted or disrupted, cost-intensive security-relevant and time-critical work cannot be performed on time — for example, security updates can no longer be applied or security incidents can no longer be responded to appropriately.
Connection Loss Between System Management Solution and Managed Systems
Connection interruptions to the managed systems can in particular impair the availability or integrity of services in the information domain.
The scope and configuration of such a connection loss determine whether services are impaired and what damage can result. The resulting error patterns may be difficult to analyze and the occurring errors difficult to resolve.
Insufficient Coordination Between System Management and Network Management
Uncoordinated actions in network management can have a negative impact on system management. This can create inconsistencies in the configuration between IT systems and connecting networks. For example, connection losses in the network can trigger a large number of follow-up events in the system management area. These events can lead to misconfigurations.
Requirements
The following are the specific requirements of building block OPS.1.1.7 System Management. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.1.7.A1 Requirements Specification for System Management (B)
Requirements for the system management infrastructure and processes MUST be specified. All essential elements for system management MUST be considered. Security aspects for system management MUST also be observed from the outset.
Furthermore, the interfaces of the managed IT systems MUST be documented, e.g. to ensure compatibility between the system management solution and the managed system.
OPS.1.1.7.A2 Planning of System Management (B)
The system management solution and the underlying infrastructure MUST be appropriately planned. The planning MUST include at minimum the following content:
- A detailed requirements analysis,
- A meaningful outline concept,
- A comprehensive implementation plan, and
- Milestones for quality assurance and acceptance.
All points mentioned in the requirements specification as well as the role and permission concept MUST be taken into account. At minimum the following topics MUST be considered:
- Separation into appropriate areas for system management,
- Access possibilities to and through system management,
- Permissions of system management on the managed systems,
- Network connections for access to and through system management,
- Protocols for user access to the system management solution,
- Protocols for communication between the system management solution and the managed systems,
- Requirements for system management tools,
- Interfaces for forwarding captured events or alarm messages,
- Logging, including required interfaces to a central logging solution,
- Support by the manufacturing or developing company over the planned deployment period,
- Possibilities for applying patches to the system management solution as well as to the managed systems,
- Reporting and interfaces to cross-cutting solutions, and
- Corresponding requirements for the managed systems.
OPS.1.1.7.A3 Time Synchronization for System Management (B)
All components of the system management solution, including the managed systems, MUST use a synchronized clock. The system time MUST be synchronized for each managed system and for the system management solution using appropriate protocols.
OPS.1.1.7.A4 Securing System Management Communication (B)
Once the system management solution and the managed systems communicate via the productive infrastructure, secure protocols MUST be used for this purpose. If no secure protocols can be used, a dedicated administration network (out-of-band management) MUST be used (see NET.1.1 Network Architecture and Design). If this is also not possible, supplementary security mechanisms at another level MUST be used, e.g. tunnel mechanisms via encrypted VPN or comparable solutions.
OPS.1.1.7.A5 Mutual Authentication Between System Management Solution and Managed Systems (B)
Authentication between the system management solution and the managed systems MUST take place in both directions. Authentication MUST be integrated into the cross-cutting authentication concept. Authentication MUST take place using secure protocols.
OPS.1.1.7.A6 Securing Access to the System Management Solution (B)
User access to the system management solution MUST be secured by:
- Secure and appropriate authentication and authorization of users, as well as
- Secure encryption of the transmitted data.
An appropriate authentication method MUST be selected. The selection process MUST be documented. The strength of the cryptographic methods and keys used MUST be regularly reviewed and adjusted if necessary.
The system management solution MUST use an authorization component to ensure that users can only perform actions for which they are authorized.
Standard Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.1.7.A7 Defining a Security Policy for System Management (S)
A security policy for system management SHOULD be created and sustainably maintained. The policy SHOULD be known to all persons involved in system management. The security policy SHOULD also be fundamental to the work of these persons. It SHOULD be regularly and traceably verified that the content required in the policy is implemented. The results SHOULD be documented.
The security policy SHOULD at minimum define:
- The areas of system management that are realized through central management tools and services,
- The tasks in system management to be implemented automatically,
- Configuration management for the data managed by the system management solution, e.g. versioning of configurations,
- Requirements for network separation,
- Requirements for access control,
- Requirements for logging,
- Requirements for quality assurance in the use of automation functions, e.g. scripts,
- Requirements for communication protection,
- The operational basic rules of system management, as well as
- Requirements for coordination with network management, e.g. assignment of IP addresses or DNS names.
OPS.1.1.7.A8 Creation of a System Management Concept (S)
Based on the security policy for system management, a system management concept SHOULD be created and continuously maintained. At minimum the following aspects SHOULD be appropriately considered:
- Methods, techniques, and tools for system management,
- Securing of access and communication,
- Securing at the network level, in particular assignment of system management components to security zones,
- Scope of monitoring and alerting for each managed system,
- Logging,
- Automation, in particular the central distribution of configuration files to the managed systems,
- Requirements for development and testing of automation functions,
- Notification chains for disruptions and security incidents,
- Provision of system management information for other operational areas,
- Integration of system management into emergency planning, as well as
- Required network transmission capacities of the system management solution.
OPS.1.1.7.A9 Detailed and Implementation Planning for System Management (S)
A detailed and implementation plan for the system management solution SHOULD be created. All points addressed in the security policy and in the system management concept SHOULD be considered.
OPS.1.1.7.A10 Concept for the Secure Operation of the System Management Solution (S)
Based on the security policies and the system management concept, a concept for the secure operation of the system management solution and the underlying infrastructure SHOULD be created.
It SHOULD also be checked how the services of other operational units can be integrated and controlled.
OPS.1.1.7.A11 Regular Target-Actual Comparison in the Context of System Management (S)
IT Operations SHOULD regularly check to what extent the data, configurations, and scripts managed by the system management solution correspond to the target state. At minimum the following aspects SHOULD be checked in the target-actual comparison:
- The configuration of the system management solution,
- The configuration of the managed systems, as well as
- The automation functions or scripts used.
It SHOULD be checked whether the mentioned aspects still fulfill the security policy and requirements specification. It SHOULD also be compared whether the software version of the system management solution is current.
OPS.1.1.7.A12 Triggering of Actions by the Central Components of the System Management Solution (S)
Actions executed by system management on the managed systems SHOULD be triggered exclusively by the system management solution. For this purpose, only those management functions on the system management solution and the managed systems that are actually needed SHOULD be activated.
OPS.1.1.7.A13 Obligation to Use the Designated Interfaces for System Management (S)
Management access to managed systems SHOULD take place exclusively via the interfaces designated for this purpose in the system management solution. If direct access to managed systems is necessary — e.g. after a failure of a managed system — both the direct access and all changes made in this context SHOULD be documented and incorporated into the system management solution to the necessary extent.
OPS.1.1.7.A14 Central Configuration Management for Managed Systems (S)
Software and configuration data for the managed systems SHOULD be consistently managed in a configuration management system that enables versioning and change tracking. The associated documentation for configuration management SHOULD be complete and always up to date. The required documentation SHOULD be securely available at a central location and integrated into data backups. The central configuration management SHOULD be sustainably maintained and regularly audited.
All interfaces between the system management solution and other applications and services SHOULD be documented and completely managed in a configuration management system. Between relevant operational areas, functional changes to the interfaces SHOULD be coordinated and documented at an early stage.
The configuration data for the managed systems SHOULD be automatically distributed via the network and installable and activatable without operational interruption.
OPS.1.1.7.A15 Status Monitoring, Logging, and Alerting for Relevant Events in the System Management Solution and Managed Systems (S)
The basic performance and availability parameters of the system management solution and the managed systems SHOULD be continuously monitored. For this purpose, the respective threshold values SHOULD be determined in advance (baselining). If defined threshold values are exceeded, the responsible personnel SHOULD be automatically notified.
For better error analysis, information from status monitoring of other areas — e.g. from a dedicated “Networks” area — SHOULD also be considered to find the exact cause of a disruption.
Important events on managed systems and on the system management solution SHOULD be automatically transmitted to a central logging infrastructure and logged there (see OPS.1.1.5 Logging).
Important events SHOULD at minimum be defined for the following aspects:
- Failure and unreachability of managed systems,
- Failure and unreachability of system management components,
- Hardware malfunctions,
- Login attempts on the system management solution,
- Login attempts on managed systems,
- Critical states or overloading of the system management solution, as well as
- Critical states or overloading of managed systems.
Event messages and log data SHOULD be transmitted to a central logging system. Alarm messages SHOULD be transmitted immediately when they occur.
OPS.1.1.7.A16 Integration of System Management into Emergency Planning (S)
The system management solution SHOULD be integrated into the institution’s emergency planning. For this purpose, both the system management solution and the configurations of the managed systems SHOULD be backed up and integrated into recovery plans.
OPS.1.1.7.A17 Control of System Management Communication (S)
Communication between users and the system management solution as well as between the system management solution and the managed IT systems SHOULD be restricted to strictly necessary connections through appropriate filtering techniques.
OPS.1.1.7.A18 Verification of System State (S)
The consistency between the actual system state and the state assumed by the system management solution SHOULD be regularly verified. If deviations are found, the state intended in the system management solution SHOULD be restored.
OPS.1.1.7.A19 Securing System Management Communication Between the System Management Solution and Managed Systems (S)
System management communication between the system management solution and the managed systems SHOULD generally be encrypted. The strength of the cryptographic methods and keys used SHOULD be regularly reviewed and adjusted if necessary.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.1.1.7.A20 Highly Available Implementation of the System Management Solution (H)
A central system management solution SHOULD be operated in a highly available manner. For this purpose, the servers and tools used for the system management solution including the network connections SHOULD be designed with redundancy.
OPS.1.1.7.A21 Physical Separation of Central System Management Networks (H)
The management network for system management SHOULD be physically separated from the functional, especially productive, networks.
OPS.1.1.7.A22 Integration of System Management into Automated Detection Systems (H)
The logging of security-relevant events in system management SHOULD be integrated into a Security Information and Event Management (SIEM) system. It SHOULD be traceably defined which events are forwarded to the SIEM.
In the requirements catalog for selecting a system management solution, the required interfaces and transfer formats SHOULD be specified.
A system management solution SHOULD be automatically monitored with a system for detecting security-relevant vulnerabilities.
OPS.1.1.7.A23 Cross-Site Time Synchronization for System Management (H)
Time synchronization SHOULD be ensured both for the system management solution and for the managed systems across all sites of the institution. A common reference time SHOULD be used for this purpose.
OPS.1.1.7.A24 Automated Review of Security-Relevant Configurations by Appropriate Detection Systems (H)
Security-relevant configurations of the system management solution and the managed systems SHOULD be regularly reviewed by appropriate detection systems for deviations from the target state as well as for potential vulnerabilities.
OPS.1.1.7.A25 Logging and Regulation of System Management Sessions (H)
The session content, in particular the activities of users on the system management solution as well as all direct access to managed systems, SHOULD be continuously logged and regulated through a technical solution. The activities at the command level — i.e. manual and automated commands — SHOULD be controlled and, if necessary, blocked.
During monitoring, alerting SHOULD take place not only in the case of concrete rule violations but also in the case of anomalies in user behavior.
OPS.1.1.7.A26 Decoupling of Access to the System Management Solution (H)
Every administrative access to the system management solution SHOULD be secured through the use of jump servers.
Additional Information
Good to Know
No additional information is available for the building block OPS.1.1.7 System Management.