Automation + Security = False?

Posted 31.05.2015 in Automation, Security by Kim Halavakoski

Those who know me have seen/heard me rant and rave about automation, automation, automation like a crazy Steve Ballmer for the last few years and probably wondered what this “Security Guy” thinks automation will solve?

ballmer-developers-developers-developers

Will automation, with all its tools, scripts, recipes, playbooks and whatnots break security in new unforeseen ways and introduce new security vulnerabilities and weaknesses?

Just read these recent blogs analysing vulnerabilities in Docker images:

http://www.banyanops.com/blog/analyzing-docker-hub/
http://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/

So Sure, undoubtedly all these new cool automate-all-the-things tools will introduce new security challenges.

But as with any new technology, there are upsides and there are downsides. So with automation, what are the security benefits and what are the risks?

I recently attended a presentation dubbed “Enterprise Automation” where the presenter went through the typical workflows in enterprise automation: Development, Continuous Integration, Continuous Deployment and showed how using these methodologies helps companies to be more lean and agile, to do more, faster and with less errors than before.

He then raised some questions about security challenges: How can we manage secrets, keys and passwords in a secure way when developers can push code directly to production, 100 times a day? (There are some tools for this, check out Hasicorps project Vault for example)

That being said and with the tools we have today, automation should result in a more standardised environment that increases security and compliance, not vice versa. No more snow-flake servers. No more uncontrolled configuration drift.

Automation is about keeping things simple, easy and controlled. Implementing standard configurations so that all assets are configured per defined, security approved configuration standards and monitoring for configuration drift, thus increasing predictability and enabling increased security and compliance. Even security can be automated with automated testing of code and configurations, ensuring that insecure(=failed) code and configurations do not get deployed to production.

Looking back at the various security challenges I’ve worked with during the past decade I believe the security benefits of doing automation outweighs the risks, the end result being better security than before. Today we have more code, servers and infrastructure supporting our services which means we don’t have time to work as we did back in 2005. We need to evolve and evolution means automation, even for security.

I’d much rather have some challenges with automating and managing passwords and keys in a secure way than having to worry about all the configurations on every asset in every network that I am responsible for.

By using automation, Security can focus on auditing the configuration standards and automation tools to ensure compliance. By using automation we know what configurations are deployed on the assets and we can focus on more complex challenges in securing our environments. The adoption of #devops(and #devsecops) in enterprises will further increase automation of the infrastructure and collaboration between teams, tearing down the proverbial silos that has hindered us from reaching our full potential and meet increasing business demands.

Done right and embraced by the Developers, System Administrators and Security Engineers, automation will improve the security in our environments.

Security + Automation = True
Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Keeping secrets in AWS

The ability to keep secrets is very important on the internet. There is always someone who tries to get access to anything that is available. A common way to keep…

Combining AWS CloudFormation with Ansible

Infrastructure as code is currently a hot topic. It gives advantages such as faster deployment, better security and improved stability. By using AWS it becomes a lot easier to use…

Are you DROWNing?

  Today a new SSL attack was released named DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. You can read all the nasty details here DROWN Attack (CVE-2016-0800) To protect against DROWN,…