CSA CCM UEM-03
Compatibility

Ensuring endpoint device compatibility with operating systems and applications is critical for smooth operations and security. The CSA Cloud Controls Matrix (CCM) specifies that organizations should define and implement a process to validate this compatibility. Without proper validation, misconfigured endpoints can impact productivity and introduce attack vectors.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full CCM document at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4.

The CCM provides a comprehensive set of cloud security controls mapped to various industry standards. It serves as a great reference for organizations looking to secure their cloud environments. For more background on the CCM and how to use it, check out the CSA's Overview and Guidelines document: https://cloudsecurityalliance.org/artifacts/ccm-overview-and-guidelines-v4/

Who should care?

Several roles should pay close attention to endpoint compatibility validation:

  • IT Operations teams responsible for managing endpoints
  • Information Security teams tasked with securing endpoints
  • Compliance Officers ensuring adherence to the CCM
  • Application Developers building software for managed devices
  • Business stakeholders dependent on reliable, secure endpoints to delivery value

What is the risk?

Failing to validate endpoint compatibility can lead to several adverse outcomes:

  • Unstable, crash-prone applications that hinder user productivity
  • Security holes from running outdated, unpatched software
  • Compliance violations if endpoints don't meet baseline requirements
  • Frustrated end-users abandoning managed devices for unmanaged alternatives

While the likelihood of compatibility issues depends on the diversity and scale of an organization's endpoint fleet, the consequences tend to be reliably painful. A single major mismatch can grind dependent business processes to a halt.

What's the care factor?

For most organizations, the care factor for UEM-03 should be high. Proactively validating compatibility is almost always cheaper than reactively dealing with the fallout of incompatible endpoints.

The more an organization depends on endpoints to delivery business value, the more they should prioritize getting compatibility right. Highly mobile workforces, geographically dispersed teams, and endpoint-driven revenue streams all amplify the importance.

When is it relevant?

Endpoint compatibility validation is most relevant when:

  • Deploying new operating system versions
  • Deploying new applications
  • Onboarding new makes/models of devices
  • Implementing a UEM solution for the first time

It tends to be less relevant for smaller, more homogeneous endpoint fleets. Or situations where users have high tolerance for some instability.

What are the trade-offs?

Investing in compatibility validation does come with costs:

  • Time and effort to develop and maintain a validation process
  • Additional compatibility testing for each deployment
  • Constraining selection of devices and applications to validated options
  • Delaying access to the latest OS and app features

Organizations have to strike a balance between the risk reduction of validation and the business agility enabled by rapid adoption of new endpoint technologies. In some cases, security may have to compromise.

How to make it happen?

Implementing an endpoint compatibility validation process generally involves:

  1. Define a compatibility test plan covering:
    • Devices makes/models
    • Operating systems versions
    • Applications
    • Configurations
  2. Acquire representative test devices matching production endpoints
  3. Implement automated build and deployment of test OS images and apps
  4. Develop compatibility test cases covering key functionality and configurations
  5. Execute test cases on each unique device, OS, and app combination
  6. Update test plan based on deployment pipeline changes
  7. Publish a compatibility matrix with tested and supported combinations
  8. Integrate compatibility testing into change management processes

The goal is to identify incompatibilities before they reach production endpoints. Automated testing enables more frequent validation.

What are some gotchas?

There are a few prerequisites and potential snags to watch out for:

  • Any unique hardware (e.g. biometric sensors) needs to be available for testing
  • Testing depends on access to pre-release versions of OS and app deployment artifacts
  • Compatibility issues can emerge from subtle interactions between components
  • Avoiding duplicating validation effort performed by vendors and publishers
  • Striking the right balance between test coverage and maintainable test suite size

To integrate with change control, compatibility testing needs permissions to create, delete, and manage (e.g. ec2:RunInstances, ec2:TerminateInstances) test infrastructure. The exact permissions depend on the implementation but AWS's documentation covers the common scenarios: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-iam.html

What are the alternatives?

There are a few alternative approaches to full pre-deployment compatibility testing:

  • Relying on vendor documentation of supported configurations
  • Limiting endpoint diversity to a single reference configuration
  • Gradually rolling out new OS/app versions while monitoring for issues
  • Reacting to incompatibilities as they're reported by end users

Each alternative sacrifices some proactive risk reduction for simplified validation effort. An organization's compatibility risk tolerance determines the appropriate approach.

Explore further

Here are some great resources to learn more about endpoint compatibility validation:

The CIS Critical Security Control 2: Inventory and Control of Software Assets also provides useful guidance on managing endpoint software: https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/

Blog

Learn cloud security with our research blog