I was nursing a strong cup of coffee when I spoke to Marc Boorshtein, the chief technology officer at Tremelo Security, an identity service broker that enables enterprises to integrate new applications very quickly.
The coffee was crucial, because Marc decided, as an example, to go through the manual process of deploying a new server. “First, install the OS; then install certain libraries; then install packages; then configure the packages; then lock down the server…”
“Stop!” I pleaded. “I get it!”
Marc was happy to oblige, because I just made his points for him: Rote activities are breeding grounds for security breaches.
“A human executing this deployment could very easily miss a step,” Marc pointed out. “And missed steps, or improperly executed steps, could create holes that wouldn't exist otherwise.”
And Marc pointed out another, related issue: Each of these steps has a different authentication layer. Is the user who logs into the VMWare console to generate an image the same one that logs in to the OS to install packages or harden the box?
“If a disgruntled employee were to want to inject something into the process,” he said, “could you track it back to that person?”
Automating the above steps would eliminate many of those concerns. A process that will execute consistently will minimize errors, and it can more easily be locked down by managing who is allowed to kick off the process.
The same is true for applications. When a user is added to a role in an application how do you know who did it? Did he or she have permission to do that? What was the reason? A manual process can't track these things. An automated process can.
Elizabeth Lawler, the CEO of Conjur, which sells a virtual appliance built for back-end data and infrastructure security, is also a proponent of automation.
“Layers, groups, and permission rules should all be automated,” she told me. “This will alleviate the human burden of permissioning and allow for greater flexibility and less maintenance in the long run.”
Elizabeth points out that automation should be built in from the beginning.
“Anything implemented in the cloud, to be done correctly, needs to be implemented from the beginning. You cannot expect to fill in the gaps later and later in the process, as they are more difficult and more expensive to fix.”
Elizabeth asked me to imagine the following scenario: the cloud is being used for development, test, and production environments. Developers often leave "back doors" in applications to facilitate agile processes. However the backdoors need to be closed by the time the app reaches production. This can often result in wasted time and refactoring of code because human hands must be involved in patching those doors.
By automating the security controls process through test/stage and production environments, and provably, separately administering and enforcing appropriate security policies across different environments, issues of leakage of poorer security policies to production systems are less likely.
DigiCert's Jason Sabin made a similar point when I spoke with him.
“By following predictable, logic-based processes for each data input or output,” he said.
“automation reduces human error that can cause major security issues.”
This view appears to be catching on in the IT community. In an October 2013 survey of 502 U.S. and U.K. IT managers and executives conducted by Tufin Technologies, respondents pointed to manual processes as a major cause of firewall outages and other security-threatening vulnerabilities.
Cloud automation offers a solution to many of these security problems because it gives IT managers the opportunity to use powerful configuration management tools like Puppet to control their systems and to ensure consistent security policies.
“This research shows that network security has become too complex to manually manage, especially with the introduction of new technologies such as cloud, virtualization and IPv6,” said Reuven Harrison, co-founder and CTO at Tufin, in a statement. “The key to meeting these challenges is automation and orchestration, which will increase IT agility while maintaining security and compliance across the network.”
Richard Sanchez, president of Miami-based cloud-computing company 0NL9, Inc., is a believer.
As far as security goes, Richard told me, “automation allows us to know a lot more a lot sooner.”
Recently 0NL9, Inc. has been using automation to enable clients to keep control of their documents.
“We use automation to track exactly what’s happening with a document: who’s sharing it, modifying it, deleting it,” he said. “Even a dedicated IT person couldn’t do that as well.”