Virtualization Technology News and Information
Automation Enables Speed AND Security


Written by Zach Malone, security engineer, FireMon

It's a cliché, but security teams have earned the reputation in businesses as being "those people who say "NO!" This problem has become inflamed in the era of DevOps and cloud, because DevOps teams exist in a world of continuous delivery and digital transformation, while security often remains locked in the old world of manual policy enforcement. As a result, it is not unusual for DevOps to take a "deploy now, secure later" approach, and security teams are left struggling to keep pace.

To many organizations, this risky approach is simply the "price of innovation" in an age when hybrid infrastructures, digital transformation and other next-gen technologies are opening unprecedented opportunities. But, in many instances, choosing speed over security inflames enterprise risk - increasing the chances of misconfigurations, leaky buckets, insecure code, compliance failures and data breaches.

So, the question remains: In a world of constant change, how can security teams remove themselves as the "NO!" in innovation and keep pace with the speed of DevOps and the business? The answer lies in establishing an automated global security policy management framework.

Automated Does Not Mean Automatic

As we've discussed, because of today's dynamic business environments, it is no longer sustainable for security teams to manually write and deploy security rules that keep IT assets compliant with enterprise security policy. The process takes too long, and there's simply too much change for security teams to keep up. Automating policy management is the only way security teams can gain parity with the speed of DevOps and the business.

But, it's important to note, that automated and automatic are not interchangeable in this scenario. When I refer to automated policy management, what I mean is this: Humans set the security guardrails based on the business, security and compliance intent of an application or asset, and then machines ensure that the right access controls are automatically applied based on those guardrails. People are still part of the equation.

Automating policy management in this way does two very important things:

  • It ensures continuous security and compliance with enterprise policies, regardless of how assets change or move; and
  • It bridges the traditional gap between DevOps, business, security and compliance teams, and enables security to become a priority (rather than an afterthought) in development and business processes.

Automated Change Management

Change management is another area that is a great use case for automation. Despite the rate of change within organizations today, the typical security department still manages access requests and changes manually - using Excel spreadsheets. Every two weeks or so, security teams will revisit these spreadsheets to implement changes and assess whether those changes remain within the confines of the organization's security and compliance policies. But DevOps and business teams don't have weeks to wait for their requests to be fulfilled.

When it comes to automating change management, the easy answer for security teams would be to deploy systems that automatically enact change requests that remain within the confines of defined policies. But "easy" isn't always the right way to go, especially when it comes to securing devices on corporate networks. And this, too, is a great example of a case where automated does not mean automatic, because automatically enacting change can cause unintended consequences. One must also understand how the changes will impact security and compliance.

When security teams automate change without achieving visibility into the potential consequences of those changes, security and compliance risk escalates. By automating risk assessments, security teams gain a pre-change and post-change view of assets, so they can validate that changes do not introduce risk by causing assets to move beyond their established guardrails.

In short, when it comes to change management, automation must not only be applied to the process of enacting change, but it also must play a part in change visibility and risk assessments - so security teams can properly assess whether changes will impact security, compliance or the business.

Removing the "NO!" from Innovation

Automating policy and change management in the right way aligns the security organization with DevOps, often resulting in an increasingly common interdisciplinary DevSecOps framework. Not only does this strengthen organization's security and compliance posture, but it empowers the business to leverage digital transformation and other next-gen innovations without introducing enterprise risk. And this means there's no longer a trade-off between speed and security - and security is no longer the "NO" in innovation!


About the Author

Zachary Malone 

With more than a decade of experience, Zach Malone is a seasoned security engineer specializing in cybersecurity, compliance, networking, firewalls, IoT, IPSec, system deployment and orchestration. At FireMon, Zach delivers technical demonstrations and proof-of-concept evaluations to move prospective customers from service assessment to purchase.

Prior to joining FireMon, Zach was a security engineer at Cadre Computer Resources Co., where he helped organizations of all sizes design, implement, support and test security products and operations. Before that, he served as a Diamond/Escalation engineer at Check Point Software Technologies and a network administrator at Choate Professional Communications and Infrastructure.

Zach attained the CISSP certification in April 2018.

Published Wednesday, July 03, 2019 7:37 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2019>