7 steps for implementing security automation in your IT architecture
What if you woke up tomorrow to discover that aliens were attacking your neighborhood and you are now responsible for protecting all the houses in your community? As part of this responsibility, you need to go to every house and inspect it to make sure there are no intruders and it's safe for residents. You also need to report on the layout of every house and everything around the entrances that could cause concern—and this needs to happen twice a day. Oh, and there are more than 450 houses in your neighborhood.
This situation could cause even the bravest alien adversary to run and hide. Yet this is a physical representation of what many software security professionals face daily while trying to ensure the security of various aspects of the software development lifecycle. In addition, they are tasked with ensuring visibility into anything that could negatively impact the people, software, or business concerning security.
Just as it is not practical to expect someone to physically inspect 450 houses twice a day to prevent alien invasion, no one can expect security professionals to accomplish all that is requested of them. At least, not without some help.
Cue the dramatic music as reinforcements appear!
Enter security automation, one of the primary ways that security engineers and architects can level the playing field when facing a growing volume of threats.
What is security automation?
Red Hat defines security automation as using technology that performs tasks with reduced human assistance to integrate security processes, applications, and infrastructure. The goal is to leverage every tool possible—such as scripting, servers, and channels—to support security-related efforts and tasks, so security objectives can be achieved in a repeatable fashion, with minimal human interaction.
What drives security automation?
Security automation is often driven by the need to align with various industry regulations, best practices, and guidelines, as well as internal company policies and procedures. Those requirements, combined with constraints on the human resources available to accomplish them, make automation in this space critical to success.
Two of the more common efforts in security are vulnerability detection and compliance.
[ Related reading: Security automation: What does it mean, and how do I get there? ]
The National Institute of Standards and Technology (NIST) defines a vulnerability as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." Vulnerability scanning is the process of leveraging automated tools to uncover potential security issues within a given system, product, application, or network. There are several vulnerability scanning tools, but these are the four primary categories.
- Software Composition Analysis (SCA) identifies vulnerabilities within open source and other third-party components.
- Static Analysis Software Testing (SAST) identifies vulnerabilities in a particular application source. This is typically done by assessing its dependencies while in a nonexecuted state. This can include scanning for plaintext passwords and other secrets.
- Dynamic Analysis Software Testing (DAST) identifies an application's vulnerabilities in its executed (dynamic) state. This is typically performed by simulating attacks against the application and evaluating how the application reacts.
- Interactive Analysis Software Testing (IAST) combines elements of DAST with various agents to detect and access vulnerabilities down to a specific line of code in the application.
Compliance scanning is the process of leveraging automated tools to uncover misalignment concerning internal and external compliance. The purpose of compliance scanning is to determine and highlight gaps that may exist between legal requirements, industry guidance, and internal policies with the actual implementation of the given entity.
A familiar example is the Health Insurance Portability and Accountability Act (HIPAA), the 1996 U.S. federal law that introduced the HIPAA Privacy Rule. The Privacy Rule is a collection of standards that specify how protected health information (PHI) can be used and how this information must be handled. To help uphold these standards, there are various compliance scanners that can parse through a code base, filesystem, or the like to determine if potential PHI is present and whether it is being handled appropriately. Failure to detect these occurrences can have significant legal and financial implications for a company.
[ Learn about upcoming webinars, in-person events, and more opportunities to increase your knowledge at Red Hat events. ]
Get others on board
Organizations sometimes say, "Security is everyone's job." While this is certainly true, it is important to remember that there are still people responsible for providing security strategy, guidance, and expertise. These people may include a CISO responsible for overall company security objectives and security architects and engineers focusing on the strategy and tactical efforts to address those top-level security objectives. Nevertheless, everyone must work together to be successful. The product, project, development, and testing managers can prioritize and guide these efforts; the developers and testers support the software these objectives target.
Security can be hard to gather support for, especially when it feels like a hurdle or burden. Try these tactics to get organization-wide buy-in.
- Socialize: Socialize the idea that security issues are business issues that can negatively affect a company and everyone in it. If a customer decides not to purchase because of security concerns, that impacts everyone. People are the most critical part of security and automation adoption. Without culture change, things will be very difficult.
- Educate: Attempt to meet people where they are by providing security education for a basic understanding of security topics. People are more likely to go all in on security when they understand what they are being asked to do, why, and how it relates to the big picture.
- Support: Put policies, standards, and procedures in place to establish a concrete path toward security objectives. People need clear direction and dedicated focus, when possible. While many organizations are running lean and giving people multiple responsibilities, companies should do all they can to make the steps to success transparent and specific.
7 steps for implementing security automation practices
Here is a series of steps you can adapt to your organization's needs as you move forward with security automation. Try these practices for creating and working your security plan.
- Define objectives: What are you expected to align with? What do you need to accomplish? Articulating this is critical to guiding efforts and achieving success.
- Gather personnel: Identify key stakeholders and align with all those that will be involved. Make sure everyone is aware of the role that they will play.
- Scope out the appropriate environments and systems: Figure out all the places where security controls and security gaps could exist.
- Identify needed tooling: What tooling can be leveraged to meet the requirements above, including build vs. buy decisions? Minimize duplicated efforts by taking inventory and assessing what types of partial automation may already exist internally.
- Plan your implementation: Identify how and where the tooling will be used, including the various configurations and modifications, to meet your objectives. How will the tooling be set up and initiated?
- Start working the plan: Begin following the steps you've planned for, but make sure you can pivot quickly when necessary.
- Evaluate the implementation: Identify any divergences from the plan and execution, then use that information to readjust. Did the tools work as intended? Were there problem areas uncovered by the way tools were implemented?
Security automation may be the great equalizer in the ongoing effort to prevent security failures. While security engineers may not be defending the world from aliens, they are continually scanning for vulnerabilities that malicious actors with a variety of objectives could exploit. These actors already leverage automation to look for security gaps in everything from basic web applications to the critical resource infrastructure of entire countries.
Adopting security automation is how organizations will level the playing field. There's no need to run around maintaining all your defenses manually—deploy your reinforcements!
[ Get hands-on with these interactive labs for Red Hat Ansible Automation Platform. ]
Navigate the shifting technology landscape. Read An architect's guide to multicloud infrastructure.