Auditing Automation

Posted 27.02.2016 in Automation, Security by Kim Halavakoski

The use of automation has fundamentally changed the IT landscape and made us more efficient in managing our increasingly complex environments. In this post I will explore the benefits and risks with increasing automation and how these risks can be mitigated  with proper auditing, risk management and planning.

Automation comes with a price: We as Auditors(CISAs, QSAs, PCI ISAs, etc.) who we rely upon to be our ethical regulatory compass ensuring that our people, processes and technology are compliant and secure, need to re-think our mindsets and methodologies. We, as auditors, need to make sure that the Agile and Lean #DevOps cultures we build and the tools we use are deployed and used in secure and compliant ways. We need to help the business to be more effective while maintaining security across the enterprise.

Auditing Automation

So how do we need to improve auditing automation and what do we need to do differently? What auditing challenges does automation bring to the enterprise?

Automation enables organisations to rapidly and consistently provision, configure and deploy servers and applications and infrastructures in ways that has not been possible before. This means that Infrastructure standards are easier to maintain and configuration drift is effortlessly detected, analyzed and mitigated. This is good news for security and  infrastructure components can be reliably assessed for security and compliance.

However, with great power comes great responsibility and although automation brings a long needed improvements to our environments it also brings new risks. Protecting the repositories that hold our infrastructure configurations and code is paramount. Protecting the tools that run our continuous integration, delivery and deployment pipelines is crucial. Protecting our developers, sysadmins and personnel tasked with developing and managing our infrastructures ia key.

We need to start focusing our audits on automation and understand how the security of automation infrastructure, tools and processes affect our security posture so that we can ensure that we don’t propagate errors, weaknesses and malicious mayhem into our automated environments. We don’t want Continuous Integration to become Continuous Intrusion.

We, the security experts and auditors, need to understand the business and the automation processes and tools that are used so that we can help identify and remediate the risks and weaknesses that come with using them. We need embrace automation so that we know it inside out and can help the business and Devops teams to deliver value while maintaining and improving security. We need to make sure our software and infrastructure is #rugged, that we build in security and not bolt it on in the last sprint, that we audit and assess the stuff that matters in the world of automation.

So go learn tools like  Jenkins, GoCd, Concourse, Ansible, Puppet, Chef and Gauntlt  so that you know what must be assessed and and how it can be done. Then use that knowledge to help developers and sysadmins secure your automated environments and help your business win!

Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Ready for 2021?

The Maritime business is facing huge challenges with managing Cyber Security in their environments. The maritime regulator, International Maritime Organization IMO, has updated their regulations and guidelines to include cyber…

Congrats Kim!

Yesterday Thursday 7.11 CSO Kim Halvakoski was elected as a new board member of Tietoturva Ry, the official Finnish cybersecurity society. The national organisation maintains around 800 specialists and professionals…

Kritisk sårbarhet i Microsoft Remote Desktop(RDP)

En kritisk sårbarhet har hittats i Microsofts Remote Desktop Services, eller RDP.  Remote Desktop Services(RDP) - tidigare känd som Terminal Services, används för fjärrstyrning av Microsoft Windows operativsystem. Sårbarheten är…