Configuration drift happens silently: a developer manually changes a production environment variable to debug an incident, forgets to revert it, and weeks later the application behaves differently in production than in staging with no explanation. NIST CM-3 requires controlled configuration change management. ISO 27001:2022 A.8.9 mandates configuration management. Without a drift detection mechanism, you cannot detect unauthorized configuration changes, reconcile environments after incidents, or demonstrate configuration control to auditors. The cost of undiscovered drift compounds: each subsequent change is made against an unknown baseline.
Low because undetected configuration drift causes environment inconsistencies that are difficult to diagnose and can silently undermine security controls applied in one environment but not another.
Version-control all configuration and use infrastructure tools that detect and report drift between desired and actual state. The simplest approach is YAML configuration files under git; the most robust is IaC with a plan step in CI.
Version-controlled config files:
config/
development.yaml
staging.yaml
production.yaml
All changes go through pull request review. Production config changes require an approved PR — no manual edits on the server.
Terraform drift detection in CI:
# .github/workflows/drift.yml
- run: terraform plan -detailed-exitcode
# exits 2 if drift detected; CI fails and alerts the team
Kubernetes: Use GitOps (Flux, ArgoCD) to continuously reconcile cluster state with git. Any manual kubectl edit is detected and reverted within minutes.
ID: environment-security.configuration-security.drift-detection
Severity: low
What to look for: Check for configuration management tools or practices. Look for version control of configuration files, drift detection tools (Terraform drift, ConfigMap versioning), or logging of configuration changes.
Pass criteria: Count all configuration management mechanisms in place. Configuration changes are logged, version-controlled, or monitored for drift with at least 1 drift detection mechanism active. Manual configuration changes to production are discouraged or prevented.
Fail criteria: Configuration can be changed manually in production with no logging or version control, or drift between environments is not detected.
Skip (N/A) when: Never — drift detection applies to all applications with multiple environments.
Detail on fail: "Configuration is manually edited on production server with no version history" or "No mechanism to detect drift between staging and production configs".
Remediation: Implement configuration tracking:
Using version control (recommended):
config/
development.yaml
staging.yaml
production.yaml
All changes go through code review and git history.
Using IaC (Terraform):
terraform plan # detect drift
terraform apply # version-controlled changes
Using infrastructure tools: