Endpoint operating systems, patch levels, and applications are critical components of an organization's security posture. Changes to these systems must be carefully planned, tested, approved and communicated to avoid introducing vulnerabilities or impacting business operations. A robust change management process is essential for maintaining control over endpoints and minimizing risk.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26 which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a framework of security controls focused on cloud computing. Operating system and application management on endpoints is a foundational security practice applicable to any IT environment.

Relevant AWS documentation includes:

• AWS Systems Manager for patch management
• Amazon WorkSpaces for managed virtual desktops
• AWS OpsWorks for configuration management

Who should care?

This control is relevant to:

• IT operations teams responsible for managing endpoints
• Security professionals assessing risk and defining security standards
• Application owners dependent on a stable endpoint environment
• Compliance officers ensuring adherence to regulatory requirements

What is the risk?

Failure to properly manage endpoint operating systems and applications can lead to:

• Exploitation of known vulnerabilities by attackers
• Instability and crashes due to incompatible updates
• Productivity loss from downtime of critical systems
• Fines and reputational damage from non-compliance

Implementing a structured change management process significantly reduces the likelihood and impact of these adverse events. While it does not eliminate risk entirely, it provides checks and balances to maintain a secure and reliable endpoint fleet.

What's the care factor?

For most organizations, endpoint management should be a high priority as employee workstations provide an initial foothold for attackers. Applying timely patches and controlling application installs is a fundamental defense against common threats like ransomware and data theft.

The care factor may be lower for organizations with non-persistent virtual desktops, robust network segmentation, and other layered controls that limit the blast radius of an endpoint compromise. However, change management is still important for maintaining user productivity and avoiding business disruption.

When is it relevant?

Formal change management processes should be used whenever modifications are made to endpoint operating systems, patch levels, or applications. This includes:

• Routine patching for security and bug fixes
• Operating system upgrades (e.g. Windows 10 to 11)
• Installation of new software
• Reconfiguration of existing applications

Change management may not be necessary for purely cosmetic changes like wallpaper or solely user-controlled settings. Organizations should define criteria for what constitutes a "significant change" that falls under the policy.

What are the trade-offs?

Implementing change management controls requires an upfront and ongoing investment in time and resources, including:

• Defining formal roles, responsibilities and approval workflows
• Deploying and maintaining systems for centralized management
• Planning and scheduling maintenance windows
• Testing and verifying changes before rollout
• Communicating changes and providing support to end users

Overly restrictive policies can impact productivity if they slow down access to needed tools and updates. Organizations must balance security and agility, perhaps by pre-approving certain low-risk changes or delegating authority to application owners.

How to make it happen?

1. Define change management policy specifying roles, responsibilities, approval levels, testing requirements, fallback procedures, etc.
2. Identify all endpoint assets and standardize operating system images and application sets as much as possible
3. Deploy endpoint management tool (e.g. Microsoft Endpoint Manager, AWS Systems Manager) to centrally control configurations
4. Configure endpoint policies to match organizational standards and block unauthorized changes by users
5. Integrate endpoint management with IT service management ticketing system to link changes to approved requests
6. Establish regular maintenance windows and use endpoint management tool to automate rollout of approved changes
7. Monitor endpoints for drift from standard configurations and remediate unauthorized changes
8. Collect logs from endpoint management tool and correlate with other security monitoring systems to detect anomalous activity
9. Use endpoint management tool to rapidly deploy emergency patches or containment actions during incidents
10. Review and update change management policy and endpoint standards on a regular basis based on operational experience and evolving threats

What are some gotchas?

• Endpoint management tools require administrator privileges to enforce configurations, so they are a high-value target for attackers. Ensure strong access control and monitoring of admin accounts.
• Legacy systems or uncommon platforms may not be supported by mainstream endpoint management tools. Have a plan to handle exceptions without completely bypassing change controls.
• Some organizations allow certain users (developers, executives, etc.) to have local administrator rights on their endpoints. Carefully consider the risks and mitigating controls before granting these powerful exceptions.
• Cloud-based endpoint management tools make it easy to rapidly push changes but also carry the risk of impacting many systems at once. Have a tested rollback plan before making global changes.

Key permissions to implement these controls include:

• IAM permissions to deploy and configure the endpoint management tool (SSM:SendCommand, SSM:CreateAssociation, etc. for AWS Systems Manager)
• IAM permissions for the endpoint management tool to perform actions on managed instances (SSM:ListInventory, SSM:PutInventory, etc. for AWS Systems Manager)
• Appropriate OS-level permissions on endpoints for the management agent to enforce configurations

What are the alternatives?

Some alternatives and complements to an endpoint management tool include:

• Immutable infrastructure approaches like non-persistent VDI that provision a clean image at every login
• Containerization and micro-VMs to isolate applications from the underlying endpoint
• Strong network access control policies to limit lateral movement from compromised endpoints
• User training to identify and report suspicious application behavior

However, these solutions do not eliminate the need for prudent change management. They are part of a layered security approach.

Explore further

• NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
• CIS Benchmarks for securely configuring operating systems
• AWS Systems Manager Patch Manager documentation
• AWS Patch Management Best Practices whitepaper
• Related controls: CIS Control 4 - Secure Configuration of Enterprise Assets and Software, CIS Control 7 - Continuous Vulnerability Management

‍