It’s time to stop thinking about security in terms of siloed toolsets and processes and start thinking about security as something to be integrated into the very fabric of the infrastructure, processes, and systems deployment of an enterprise. In fact, thanks to the cloud, APIs, and microservices, many aspects of security have become programmable and are increasingly able to be automated.
Security automation and orchestration certainly isn’t a new topic. At the turn of the century, when I was a reporter at InformationWeek covering information security, it was common for IBM to pitch stories and sell ideas around the role of security and autonomic computing. Back then, though, it wasn’t much of a story. The entire concept was only feasible to even consider in limited ways and in certain kinds of environments.
Today, however, security automation is much more attainable than it was back then. In fact, it’s time to think of automate-first when it comes to security.
I’m not just speaking about automating security checks in enterprise continuous deployment pipelines. I’m talking about that plus continuous security monitoring and continuous policy compliance monitoring of an enterprise’s cloud environment for security threats and systems falling out of compliance. And I’m talking about the ability to automatically respond to vulnerable conditions. This is all about taking a close look at one’s environment and automating every aspect of security controls that can be reasonably automated.
Just like many organizations have a cloud-first policy, they should also have a similar policy, or at least a mindset, around automating security whenever possible. It should involve an understanding of the assets and data your organization is responsible for within your cloud service provider’s shared responsibility model.
Automation needs to embrace testing in continuous pipelines and automating quality assurance and security acceptance tests as part of the standard workflow. It should also include continuous application and infrastructure security checks on production systems. In cloud environments, enterprises should make it a practice of automating most aspects of security when they deploy infrastructure that is designed to specifications that are aligned with security policy. Because it is agile, the cloud enables security automation to include elements like infrastructure as code, elastic clouds, and DevOps.
Today, application development teams are pushing code out more quickly than ever. Perhaps a minimum viable product was deployed, and the team moved so quickly that not everything about how the app could impact their security posture was considered. Since oversights will only be spotted in a reasonable timeframe if tests on production systems are running, continuous security monitoring is essential.
The cloud makes aspects of the environment beyond just infrastructure and application scans programmable. Cloud infrastructures and APIs make it possible to interface with identity and access management controls to networks, application scanners, infrastructure, storage and everything in-between. So, instead of calling security teams to go see what is happening every time there’s an issue, savvy enterprises are always monitoring for deviations from what an optimal state should look like.
Obviously not everything in security can be codified, or is accessible through an API – but today much of it is. And that’s what we are speaking about here: focus on those things that can be automated and continuously improve those processes. And in areas where security can’t be automated – build the most effective processes possible and improve from there. One day soon, those processes too will be programmable. It’s time for an automate-first policy.