Let’s face it, by nature security professionals are not the trusting type – in the least bit whatsoever – to put it bluntly. The concept of automating security makes them jumpy, testy and downright irritable in some cases.
Why?
Well, as we know, security teams are charged with maintaining control over processes. Introducing automation requires trust, a lot of it in fact. But as automation IS the future of IT, like it or not, how can security pros learn to love automation domination?
Let’s tackle the elephant in the room first. When it comes to getting security teams on board with automation, the stopgap tends to be around trust. The security culture is one of control (yes, we’re a bunch of control freaks) and by nature security professionals don’t trust people and they don’t trust systems.
The sound of the word Automation makes some security people jump out of their seat, but it’s not only because of security reasons. The biggest concern is actually, causing an outage, an event that tends to be noticeable much faster than an overly permissive security configuration which may go unnoticed forever.
For automation to take place, there has to be a hand off around security decisions, a loss of control so to speak, and in order to do that there has to be unfounded trust in the process about to be automated.
Where to Start: Today, automation in IT is predominant; sys admins use automation for application deployments as well as managing infrastructure on premise and in the cloud. It is increasingly becoming the norm. However when you move from IT into security automation, that is where the norm ends. So if automation of security processes is new to your team or organization, where might be a good place to start?
First, security teams are open to automating tasks that are not inline. Compliance audits are one good example. While it is a security-related activity, it cannot induce risk (except for the risk of failing the audit). So anything that doesn’t introduce risk and that can be automated, security professionals are open to – especially if it’s a dull, time consuming task.
Another area where security automation is abundant is with those processes that are just too overwhelming for security teams to deal with manually – where there’s no other feasible alternative but to automate. Patch management and event management (SIEM) systems are two good examples where manual processes are just not viable.
Creeping into the Network with Automation: It’s when we talk about automating security into change management, that trust issues come into play, big time. Nowhere else is security risk more predominant than when it comes to configuring security devices, because more often than not, misconfigurations lead to outages. When it comes to firewall policy or network security management, automation has to prove itself before security teams can hand it off. Baby steps are called for here.
How?
Consider starting with the processes that can be reviewed in detail first with a simulation of the automation before the “RUN” button is pressed – a dry run. This will certainly help determine what the system is going to do or not do. If teams have the opportunity to review what will be configured before it gets automated, you have started on the path to trusting security automation.
This is more about collaboration and breaking down silos just as much as it is about technology. Bringing security in to review the change processes as they are being automated, is a trust and team building exercise in and of itself, and ensures that security considerations are baked into process automation from the get-go.
Trust between the people determining which processes should be automated – and how – tends to occur over time, as everyone gets to know each other, and especially as security teams have the visibility and input they need to ensure that security is baked into process automation. As concerns are assuaged, security teams will become increasingly hands-off, but they need to be eased into it.
Phasing in More Network Automation: For security teams looking to take a gradual approach to full automation, Security Policy Orchestration (SPO) is the perfect vehicle. I like to think of this concept as a version of automation but a more intelligent way of doing automation. Automation in itself is like a robot repeating tasks in a dumb way. Orchestration is more like a conductor coordinating a talented group of musicians (network of complex systems) who are playing a symphony together.
Core to this approach is simulation. Once the organization has its network topology accurately mapped out, the system can automatically identify relevant policy enforcement points (firewalls, routers, load-balancers) that are associated with the flow of the business connectivity requirement. Based on this, a network simulation can be performed to accurately design the implementation.
In moving toward automatic network design, DevOps teams can greatly benefit from leveraging tried and true best practices already in place, in the security world. For example, automatic risk analysis against a pre-defined zone-to-zone security policy, across the entire network, allows the security team to review and decide whether certain business needs are aligned with corporate security guidelines or not.
As trust is gained in the automatic network design and the automatic changes set forth by pre-defined policies, there will be less reliance in reviewing every design change and more trust in automation. As soon as the system automates change provisioning, you have reached a mature automation model.
Orchestration handles changes as part of a process rather than through hidden API calls, this gives you the necessary transparency including an audit trail, separation of duties and check points that are critical for trusting the machine. The capability of providing an audit trail enables a post-mortem analysis in the event something fails to go as intended. Checks and balances, allow for human intervention where defined conditions occur. Lastly, the system has to be very accurate, reliable and secure.
The path to security automation may not be a quick one, but by taking a phased approach and automating the right processes, everyone will feel more confident with automation domination. This way, our favorite control freaks, the guys we trust to secure our network, can focus their attention on addressing the next generation of security challenges.