Auditing Automation

Posted 27.02.2016 in Automation, Security by Kim Halavakoski

The use of automation has fundamentally changed the IT landscape and made us more efficient in managing our increasingly complex environments. In this post I will explore the benefits and risks with increasing automation and how these risks can be mitigated  with proper auditing, risk management and planning.

Automation comes with a price: We as Auditors(CISAs, QSAs, PCI ISAs, etc.) who we rely upon to be our ethical regulatory compass ensuring that our people, processes and technology are compliant and secure, need to re-think our mindsets and methodologies. We, as auditors, need to make sure that the Agile and Lean #DevOps cultures we build and the tools we use are deployed and used in secure and compliant ways. We need to help the business to be more effective while maintaining security across the enterprise.

Auditing Automation

So how do we need to improve auditing automation and what do we need to do differently? What auditing challenges does automation bring to the enterprise?

Automation enables organisations to rapidly and consistently provision, configure and deploy servers and applications and infrastructures in ways that has not been possible before. This means that Infrastructure standards are easier to maintain and configuration drift is effortlessly detected, analyzed and mitigated. This is good news for security and  infrastructure components can be reliably assessed for security and compliance.

However, with great power comes great responsibility and although automation brings a long needed improvements to our environments it also brings new risks. Protecting the repositories that hold our infrastructure configurations and code is paramount. Protecting the tools that run our continuous integration, delivery and deployment pipelines is crucial. Protecting our developers, sysadmins and personnel tasked with developing and managing our infrastructures ia key.

We need to start focusing our audits on automation and understand how the security of automation infrastructure, tools and processes affect our security posture so that we can ensure that we don’t propagate errors, weaknesses and malicious mayhem into our automated environments. We don’t want Continuous Integration to become Continuous Intrusion.

We, the security experts and auditors, need to understand the business and the automation processes and tools that are used so that we can help identify and remediate the risks and weaknesses that come with using them. We need embrace automation so that we know it inside out and can help the business and Devops teams to deliver value while maintaining and improving security. We need to make sure our software and infrastructure is #rugged, that we build in security and not bolt it on in the last sprint, that we audit and assess the stuff that matters in the world of automation.

So go learn tools like  Jenkins, GoCd, Concourse, Ansible, Puppet, Chef and Gauntlt  so that you know what must be assessed and and how it can be done. Then use that knowledge to help developers and sysadmins secure your automated environments and help your business win!

Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Keeping secrets in AWS

The ability to keep secrets is very important on the internet. There is always someone who tries to get access to anything that is available. A common way to keep…

Combining AWS CloudFormation with Ansible

Infrastructure as code is currently a hot topic. It gives advantages such as faster deployment, better security and improved stability. By using AWS it becomes a lot easier to use…

Are you DROWNing?

  Today a new SSL attack was released named DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. You can read all the nasty details here DROWN Attack (CVE-2016-0800) To protect against DROWN,…