Those who know me have seen/heard me rant and rave about automation, automation, automation like a crazy Steve Ballmer for the last few years and probably wondered what this “Security Guy” thinks automation will solve?
Will automation, with all its tools, scripts, recipes, playbooks and whatnots break security in new unforeseen ways and introduce new security vulnerabilities and weaknesses?
Just read these recent blogs analysing vulnerabilities in Docker images:
So Sure, undoubtedly all these new cool automate-all-the-things tools will introduce new security challenges.
But as with any new technology, there are upsides and there are downsides. So with automation, what are the security benefits and what are the risks?
I recently attended a presentation dubbed “Enterprise Automation” where the presenter went through the typical workflows in enterprise automation: Development, Continuous Integration, Continuous Deployment and showed how using these methodologies helps companies to be more lean and agile, to do more, faster and with less errors than before.
He then raised some questions about security challenges: How can we manage secrets, keys and passwords in a secure way when developers can push code directly to production, 100 times a day? (There are some tools for this, check out Hasicorps project Vault for example)
That being said and with the tools we have today, automation should result in a more standardised environment that increases security and compliance, not vice versa. No more snow-flake servers. No more uncontrolled configuration drift.
Automation is about keeping things simple, easy and controlled. Implementing standard configurations so that all assets are configured per defined, security approved configuration standards and monitoring for configuration drift, thus increasing predictability and enabling increased security and compliance. Even security can be automated with automated testing of code and configurations, ensuring that insecure(=failed) code and configurations do not get deployed to production.
Looking back at the various security challenges I’ve worked with during the past decade I believe the security benefits of doing automation outweighs the risks, the end result being better security than before. Today we have more code, servers and infrastructure supporting our services which means we don’t have time to work as we did back in 2005. We need to evolve and evolution means automation, even for security.
I’d much rather have some challenges with automating and managing passwords and keys in a secure way than having to worry about all the configurations on every asset in every network that I am responsible for.
By using automation, Security can focus on auditing the configuration standards and automation tools to ensure compliance. By using automation we know what configurations are deployed on the assets and we can focus on more complex challenges in securing our environments. The adoption of #devops(and #devsecops) in enterprises will further increase automation of the infrastructure and collaboration between teams, tearing down the proverbial silos that has hindered us from reaching our full potential and meet increasing business demands.
Done right and embraced by the Developers, System Administrators and Security Engineers, automation will improve the security in our environments.
Security + Automation = True