Automation + Security = False?

Posted 31.05.2015 in Automation, Security by Kim Halavakoski

Those who know me have seen/heard me rant and rave about automation, automation, automation like a crazy Steve Ballmer for the last few years and probably wondered what this “Security Guy” thinks automation will solve?

ballmer-developers-developers-developers

Will automation, with all its tools, scripts, recipes, playbooks and whatnots break security in new unforeseen ways and introduce new security vulnerabilities and weaknesses?

Just read these recent blogs analysing vulnerabilities in Docker images:

http://www.banyanops.com/blog/analyzing-docker-hub/
http://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/

So Sure, undoubtedly all these new cool automate-all-the-things tools will introduce new security challenges.

But as with any new technology, there are upsides and there are downsides. So with automation, what are the security benefits and what are the risks?

I recently attended a presentation dubbed “Enterprise Automation” where the presenter went through the typical workflows in enterprise automation: Development, Continuous Integration, Continuous Deployment and showed how using these methodologies helps companies to be more lean and agile, to do more, faster and with less errors than before.

He then raised some questions about security challenges: How can we manage secrets, keys and passwords in a secure way when developers can push code directly to production, 100 times a day? (There are some tools for this, check out Hasicorps project Vault for example)

That being said and with the tools we have today, automation should result in a more standardised environment that increases security and compliance, not vice versa. No more snow-flake servers. No more uncontrolled configuration drift.

Automation is about keeping things simple, easy and controlled. Implementing standard configurations so that all assets are configured per defined, security approved configuration standards and monitoring for configuration drift, thus increasing predictability and enabling increased security and compliance. Even security can be automated with automated testing of code and configurations, ensuring that insecure(=failed) code and configurations do not get deployed to production.

Looking back at the various security challenges I’ve worked with during the past decade I believe the security benefits of doing automation outweighs the risks, the end result being better security than before. Today we have more code, servers and infrastructure supporting our services which means we don’t have time to work as we did back in 2005. We need to evolve and evolution means automation, even for security.

I’d much rather have some challenges with automating and managing passwords and keys in a secure way than having to worry about all the configurations on every asset in every network that I am responsible for.

By using automation, Security can focus on auditing the configuration standards and automation tools to ensure compliance. By using automation we know what configurations are deployed on the assets and we can focus on more complex challenges in securing our environments. The adoption of #devops(and #devsecops) in enterprises will further increase automation of the infrastructure and collaboration between teams, tearing down the proverbial silos that has hindered us from reaching our full potential and meet increasing business demands.

Done right and embraced by the Developers, System Administrators and Security Engineers, automation will improve the security in our environments.

Security + Automation = True
Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Maritime Cybersecurity and IMO regulations

Cybersecurity is currently hot-topic in the Maritime industry due to the upcoming enforcement of the IMO cybersecurity risk resolution from the beginning of 2021. The IMO resolution Resolution MSC.428(98) -…

Ready for 2021?

The Maritime business is facing huge challenges with managing Cyber Security in their environments. The maritime regulator, International Maritime Organization IMO, has updated their regulations and guidelines to include cyber…

Congrats Kim!

Yesterday Thursday 7.11 CSO Kim Halvakoski was elected as a new board member of Tietoturva Ry, the official Finnish cybersecurity society. The national organisation maintains around 800 specialists and professionals…