On 8/13/14, 8:17 AM, Jeremiah Jahn wrote:
I was wondering about that. That 20K is a rather steep price. I always assumed that Redhat was part of CIS though.
Years ago RHT did not publish much (any?) security guidance corporately. Documents such as the NSA SNAC Guide and CIS Benchmarks for RHEL filled this gap, and many RHT staff helped out by acting as contributors or technical editors. We're not a formal member of CIS though.
As a non-profit organization, part of the CIS model is to provide hardening guides for free, publicly posted to the internet. If you want automation content (SCAP, bash scripts, kickstart files...) that ensure your system is in compliance with a particular CIS benchmark, one must join the organization and pay membership dues. Even non-profits have to pay their staff somehow. This is completely reasonable.
The CIS staff good people, and I've had a chance to talk with some of them. But corporately they're caught in challenging position. In the past CIS was able to charge their customers for automation content, tools, scripts, kickstarts, etc. which funded the CIS staff authoring the CIS Benchmarks. But now, with the vendor (Red Hat) publishing *both* tools and content and including it natively in RHEL, how does CIS continue to make money on their RHEL guidance and stay relevant?
One way to protect revenue streams is to establish a brand around your benchmark, then ensure you're the sole provider of automation content against it. By giving only the prose guide/PDF away for free you force customers into creating their own implementation processes -- kickstarts, bash scripts, puppet, whatever. For many organizations this is trivial. Others would rather pay CIS to provide and maintain such automation content. Once your brand is established you then enforce terms and conditions stating that nobody but yourself can make attestation statements against your baseline, or provide automation content that directly measures compliance. You lock your customers in.
Part of that approach is reasonable. Afterall, you did author the guidance. You should be compensated for your work. But security and compliance shouldn't be a bolt on through 3rd parties. It is likely projects such as SSG, which are natively included by the vendor, collaborated with across industry, government, and academia, and tied back to recognized industry and regulatory standards, will become predominant over time.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
