CIOs are struggling with keeping up with the automation of all the various cloud configurations that they have to support, the different environments that they have to sync and the standardization that they are driving across those networks which host the data stores that they are trying to monetize.
Devops is rightly becoming the standard framework for making developers work hand-in-glove with operations to make sure whatever software gets built is actually deployable and easily updated.
The challenge however is that security frameworks have not evolved.
We had the opportunity to listen to Richard Mogull CEO of Securosis at the European Cloud Security Conference in Amsterdam last month. If you get a chance to listen to Rich present don’t miss it. He is a natural presenter and gave by far the best presentation in the conference on “Security and Devops”. He argues that the resistance to automation of security is usually excused due to a lack of trust and a reliance on people, the “meat cloud” or manual supply chain for security. Our security operational model (tools) and framework (process) are decoupling from the business and rest of IT and that there is an urgent and pressing need for trustable automation and an operational model to support it.
It is an interesting challenge and a lot easier said than done. CISOs are correct to be resistant to automation. Consider API Service Exposure: Cloud Service Providers expose APIs and software interfaces so customers can interact with those services. Risk is increased as credential management system complexities, cryptographic key management, and automation require handoff of credentials to third parties in order to enable their agency – “trust us.. it works!” The truth is that with the velocity of these value-added service delivery components, their associated interfaces, credential management, and increased automation and M2M abstraction, security vulnerabilities are inevitable and credentials can be – and have been – compromised. The early days of SAML implementation for online shopping and CRM systems highlighted the threat to these services.
We believe that you have no choice but to assume that any outsourced infrastructure will at some point be compromised, if not already. You can’t outsource trust with the complexities offered today or with the people operating those resources on your behalf. Also it’s reasonable to assume your own infrastructure is already compromised or soon will be in the (near) future. The more important and valuable your intangible assets are (your intellectual property, customer and supplier base, etc), the more likely you are to be compromised.
The good news is there is an answer. You guessed it – KSI provides security automation via attributed networking – Tag Track and Locate every digital asset with real time attribution back to a machine or human source. By applying that principle to configurations it becomes possible to have real-time verification of the integrity of your network – independently from system administrators and outsourced service providers. There is no longer a need to trust anyone – you can verify all activity independently from the people who are working on your behalf.
When malware infects a crucial network or system component, the changed state of the asset provides a real-time alert, which can then be investigated, audited, and/or behavior stopped, putting the odds back in favor of defense. With this real-time awareness, real-time incident response, real-time data-loss prevention, it is possible to detect and react to any misconfiguration, network and/or component/application failure.
CISOs are right to resist security automation as security frameworks have not evolved in line with devop frameworks. KSI implemented into devops frameworks does provide security automation at the data level – independent verification and attribution for everything that happens on a network – eliminating the need for “meat” anywhere in the process.