Beyond the STIG: The wider world of cybersecurity

Depending on how deeply you deal with sensitive computing requirements and IT systems security, the phrase “STIG” either means:

• A Security Technology Implementation Guide, which provides a standard configuration for a given product, like an operating system, to enhance the security posture of related systems; or
• A steam-injected gas turbine; or
• The various incarnations of the helmeted, silent driver on Top Gear.

If the first definition resonated, then this new blog series is for you. STIGs, a concept originally designed for the US Department of Defense, are increasingly seen as a critical security guide for security-conscious computing in a variety of places across the public and private sectors, especially in regulated industries or sensitive environments like energy and banking. While STIGs are incredibly important, cybersecurity is built around an ecosystem, good risk management practices and conscientious cyber hygiene, not a single implementation standard.

STIGs, as a framework for platform hardening, provide incredibly useful guidance for helping to attain the often required approvals to place systems in production, also known to some as an “Authority to Operate” (ATO). They do not, however, address all of an organization’s IT security needs for their environments, Even before a systems hit production, organizations need to consider: 

• How to handle vulnerabilities when they inevitably appear
• What needs to be done to extend or expand the role or footprint of a given system
• How to stay ahead of emerging threats
• What modernizing operations may look like and how it can be done

For nearly two decades, Red Hat has been helping both public and private entities adapt to changing IT security requirements and concerns, by both achieving a wide-range of security validations for our products in global markets and by providing actionable information for organizations to improve their system security footprint.

This series will examine how STIGs are used, how IT security postures incorporate and extend beyond STIGs, and what other aspects of cybersecurity CIOs and other leaders need to consider and address. Topics will include:

• Why industry leadership in security matters and what this leadership looks like in practice
• Hardening of Linux and layered technologies, like Kubernetes, and why there’s more to code hardening than just fixing bugs 
• The practical implementation of security controls across systems
• Removing uncertainty and easing implementation burdens when improving IT security postures
• What it takes to manage risks inherent to software supply chains
• Extending security capabilities across (and with) an ecosystem of partners 
• Holistically managing an evolving threat and vulnerability landscape

Looking ahead, our next post will tackle the concept of “hardening”—what it means in practice and why it matters to modern IT deployments, even those that may also use specific STIGs. We look forward to sharing more with you in the future!