The need for Automated Security Infrastructure in an Agile world

The landscape of IT is changing everyday, and companies need to innovate in order to keep up with customer demand, and this can be best done with an agile infrastructure. A redesigned automated security infrastructure is what companies need to pursue to ensure business goals are aligned. The current industry is customer-driven, and companies need to make sure that the infrastructure is up to the challenge of providing the products and services customers demand. Generation C, a generation of individuals that are connected, need a secure infrastructure to do so— this infrastructure can provide that.

An automated infrastructure allows companies to retool their infrastructure faster than those of the traditional model. In a customer driven world, this is essential.

Business Problem

A problem that many companies have and that many companies struggle with addressing, is automation. Automation is something that allows companies and organizations to scale in any direction needed to accomplish their business goals. This is a business challenge because it is still something that, to this day, companies still can’t manage to accomplish in a uniform way. That’s not to say it’s not possible, many companies have been able to find ways to build out automated infrastructure, but it is something that even big enterprises tend to struggle with. Either because of a lack of knowledge and/or experience, or lack of drive by management.

Automation Predisposition

Something I often hear from people working in the technology field is an incorrect predisposition on automation — although anecdotal. Never mind the typical “automating yourself out of a job,” automation is seen as a trend that we don’t need. It is seen as a quick way to failure. While this isn’t without merit; it lacks logical sense. This assumption of a “quick way to failure” is based on an assumption that the system was incorrectly designed. This argument is a logical fallacy of post hoc ergo propter hoc; they’ve implemented automation and it failed; therefore, automation is to blame.

Ways for Improvement

In order to accomplish an infrastructure based on automation, and inherently DevOps, you must ensure the infrastructure and team members are ready for this transition. The technology companies rely on must be prepared for this change. Technology for CI/CD (Continuous Integration and Continuous Deployment) pipelines will need to be implemented, as well as automated testing toolkits to ensure what’s being deployed meets industry and corporate standards and policy. Team members will need to be trained on implementation and utilization of these tools, so training will need to be a priority. Proper change controls will also need to be implemented, because changing the dependency of an automated system without preparing it for the change could cause the system to fail. If microservices are used, then versioning of APIs can also be utilized to ensure teams can deploy quickly without affecting dependent systems.

Automation Policy

To ensure smooth automation implementation, policy; standards; and guidelines must be made to ensure uniformity and clarity of the business’ needs. Companies needs to minimize misguided management decisions against the business needs, and ensure managers understand the automation needs. All new technologies should utilize API connectivity, either for internal team use to automate a task, or provided to the company at whole. There should be some exceptions, for example COTS (Commercially off the Shelf) software, or software that would be pointless to have API connectivity. The usefulness of an API could be determined by management, or a small team of subject experts.

Automation and Business Alignment

Companies need to provide innovative products and services, and the classical software development methodologies can no longer support this. Company software development needs to scale, providing team members the ability to innovate at a faster rate. The infrastructure needs to both scale up and down, allowing more resources to be requested, while also scaling down resources that aren’t used to minimize waste. Ford isn’t the only company that needs to implement this, dozens of companies are becoming technology companies to meet their goals for meeting customer demand and allowing team members the resources needed to explore new and innovative ideas.

Risk Acceptance

When it comes down to security, a lot of caution should be had when deploying an automated infrastructure. This bleeds into DevSecOps and risk acceptance. Traditionally, security teams have managed risk within the company; however, there is a trend to move risk acceptance over to the development teams. Some companies think that developers are capable of accepting risk; however, this is a violation of separation of duties — at the minimum. At some point in the CI/CD security pipeline, a security expert should review the request of the developer(s). When creating an automated security infrastructure, the creation and immediate deployment of security policies should not be done without the review of a security expert. I also come from a traditional security background, and wish not to repeat history. Systems were open, but there’s a reason security was introduced.

Conclusion

The world is increasingly a customer driven world and requires companies to innovate at a faster rate. Automation provides companies with an infrastructure that can scale to the needs of the company. Automation allows companies to scale up resources needed for a given project, then scale down when the project has completed — or keep the resources when operationalized. Without automation, this isn’t possible in a scaleable way, and without drastically increasing administrative overhead. Technology can be used to minimize the administrative overhead of a scaling infrastructure, and companies that don’t implement automation that’s able to scale up and down when required, could find themselves falling behind in the industry by a company that can quickly retool. Security needs to be able to hook into this automated infrastructure to provide access dynamically. For example, an application that needs DB resources needs to be able to scale up and down with a security policy that allows access to only the resources needed.