In cloud security, automation does *not* mean automatic

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Matt Harter
 

Connecting state and local government leaders

By Matt Harter

|

Agencies can keep their cloud systems secure -- even with the breakneck speed of DevOps -- by automating security functions in a way that ensures compliance and gives security pros a degree of control.

Technology terms often mean different things to different people. For example, to someone in DevOps, the cloud is a fantastic environment for deploying applications with unprecedented speed and agility. To a security pro, the cloud might be a quagmire of risk that can grow exponentially in a matter of hours -- thanks in no small part to those DevOps guys. To end-users, cloud is an easy way to access applications and data … and who cares about all the plumbing?

Which brings us to automation. 

Automation is one of the most loaded terms in technology today. Even when referring strictly to cybersecurity, it means different things to different people. To chief information security officers, it means headcount reduction or a way to reduce the cybersecurity skills gap. To a security operations engineer, however, it could mean “a machine making device changes instead of me.” This can be a frightening prospect to someone who is accustomed to manually implementing security rules across devices and IT assets and, more importantly, responsible for cleaning up the mess when things go wrong.

Yet automation is the only way that security can keep pace with the breakneck speed of DevOps and mission demands. The key is to automate security functions in a way that still gives security pros a degree of control, so they can be comfortable with the automated process. In other words, automation can’t just be automatic -- it must be a hybrid process where humans set the guardrails for the machine.

Automated, not automatic

There is a long and storied history of disconnect between application development and security teams based on their often-conflicting priorities. Developers are under pressure to enable the mission, so they push to get their applications in production as quickly as possible. Security, on the other hand, is in the business of reducing risk -- so speed is not as important as diligence. This conflict has created many situations where application security becomes an afterthought or, even worse, avoided completely. It puts security pros in a position where they must discover and secure applications and systems after they’ve been built and deployed, which would qualify as a “worst practice” for enterprise security.

This situation was problematic when most applications and systems were deployed on-premise. It has become inflamed with the emergence of DevOps and cloud computing, because together these two trends have dramatically increased the velocity of change across the new, hybrid enterprise IT infrastructure. Applications that once underwent six-month release cycles are now being constantly updated and changed, and deploying systems in the cloud is as easy as a few mouse clicks.

The cloud has also created new security accountability issues. According to the FireMon 2018 State of the Firewall report, which surveyed more than 300 security professionals, nearly 40 percent of respondents indicated that the IT/cloud team or the application owner is responsible for network security in the cloud. Nearly one-fifth of respondents did not know who was responsible.

These survey results indicate people outside of the security organization are often responsible for cloud security. And, with all of the pressure on today’s thinly staffed security organizations, security pros are often in no hurry to change this situation because the cloud adds a massive new security management component to their already overworked staffs.  If ever there were a use case for security automation, this is it.

Automation with control

The idea of automating cloud network security is often alarming to security professionals. They are accustomed to manually creating and deploying security rules to keep IT assets compliant with enterprise security policy. To suddenly ask these pros to relinquish this job to automation is like telling someone to take their hands off the steering wheel for the first time with a self-driving car. It might make life easier, but it’s hard to let go.

However, there are technologies available today that provide cloud security automation in a way that also lets security pros sleep at night. One particularly ripe area for this type of automation is in change management. Security organizations often have a long checklist for change management, so they can fully understand the ramifications of any change to a cloud asset and ensure that the asset stays within the organization’s compliance structure. It is possible, however, to codify this change management process into automated workflows that include:

Change planning: Knowing what to change, obviously, is a critical first step to change management. For example, if the staff is managing 2,000 firewalls and needs to create an access path from one cloud asset to another, what device changes do they need to make? Using manual approaches, it can take weeks of tracing routes and understanding traffic flows to figure this out. Today, however, there is technology that can automatically identify the devices to be changed and then automate the architecture for the required changes, without having to go through those manual steps.

Risk assessment: Conducting risk assessment traditionally requires vulnerability scans and then a manual review of the results to understand if any particular change is going to open vulnerabilities. Today, this job can be done automatically with change management tools that provide a pre-change and post-change view of cloud assets to validate that changes stay within policy compliance guidelines.

Compliance testing: Maintaining compliance in the cloud is another daunting proposition for security pros. However, automated compliance testing tools can dramatically reduce risk and effort by ensuring that any changes do not cause assets to move beyond their established guardrails.

Rules cleanup and maintenance: Most organizations have firewalls and other devices with outdated configurations and mountains of useless rules. These legacy rules can lead to configuration issues that cause conflicts and vulnerabilities, so they must be cleaned up. For many organizations, manually cleaning up rules is simply not viable, because there are so many that need to be changed or eliminated and there simply are not enough manpower cycles to get it done. This is another area where available automation tools can eliminate useless rules across heterogeneous devices based on the parameters set by the security organization.

Beyond these automation capabilities, the next step in change management is to enable DevOps to self-implement security in a way that is always compliant with agency policy. This sounds like a “take the hands off the wheel” moment for security pros, but it isn’t, due to the emerging “intent-based security” trend. This approach to security enables security pros to establish the intent for any application or system, which is tied to a set of rules that ensure the intent is met. This sets specific guardrails for rules implementation, which then enables security to hand over implementation tasks to DevOps. With this approach, security can move as quickly as DevOps needs it to, because DevOps is automatically implementing the correct rules set.

We live in a time where automation is changing the security game, and this will only grow as intent-based security gains more prominence. This does not have to be a scary process for security pros. With the examples mentioned above, it is easy to see how automation is not automatic with machines running the show. More importantly, it is easy to see how security can achieve automation that eliminates untold hours of mundane manual labor, while giving security pros the confidence and control they need. This makes it practical for organizations to put cloud security where it belongs -- under the control of the security organization, but aligned with the needs of DevOps and the agency -- and that should let everyone sleep at night.

NEXT STORY: Outlook mobile gets updated security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.