Automated security for the new paradigm of work


Attackers have shown themselves to be opportunistic, agile, and ruthless in exploiting current events over the past year. As enterprises continue to evolve their usage of IT, the area where many have the most critical need for support is in securing their usage of emerging technologies. As lockdowns and quarantines forced enterprises to adopt a remote model for most day-to-day interactions, collaboration tools experienced immediate and explosive growth. To accommodate this new way of working, underlying IT infrastructures changed drastically and immediately as well. Security practitioners have struggled to keep pace.

The “new way of working” referenced here encompasses a broad category of digital business enablers including software development, cloud infrastructures, analytics programs, and other capabilities that are the focus of many enterprise technology transformation projects. Our experience helping companies trying to secure these capabilities has shown that automation of security controls is the most effective approach to maintaining the right level of governance and oversight.


Security - the disabler of transformation

Companies in every industry are faced with the need to scale their IT operations quickly and efficiently while also remaining competitive in their industry and relevant to their customers. Developing software and, more importantly, creating the capability to develop software while also transitioning workloads to the public cloud and adding other new technologies subject the enterprise to significant new risks that usually are not matched by a corresponding growth in security capability. Thus, risk may constitute one of the largest roadblocks to achieving transformation objectives when using emerging technologies. Predictably, many technologists view security as a roadblock to progress. Historically, it has been. The engagement model for security in many organizations literally roadblocks new technology usage by forcing interactions with the security team at key points in engineering processes. Understaffed security teams exacerbate the issue by an inability to engage timely or, much worse, engaging timely but not effectively, creating the illusion of risk management but not the reality.



Accelerated deployment = accelerated risk

To overcome the non-security challenges of new technology deployments, many organizations have adopted Development Operations (DevOps) practices that combine developers and operations staff (e.g., cloud engineers) in unified teams. The idea is for everyone involved in delivering a product or capability to collaborate in real-time, breaking down siloes and maintaining alignment on key goals. While DevOps concepts have been marinating in the minds of industry thought leaders for well over a decade,[1] they have only recently achieved widespread adoption with an estimated 35% of companies performing software development activities having adopted DevOps only within the past three years.[2] The benefits of DevOps are demonstrable and clear. According to the SANS Institute, companies that employ DevOps deploy new product versions 46 times as often as non-DevOps teams, and they recover from software and infrastructure failures nearly 100 times faster.[3] However, the cyber risks created by DevOps-enabled technology deployments that do not include security in their processes are also magnified and accelerated proportionally.


Controlling cyber risk for new technology deployments requires overcoming three distinct challenges- capacity, visibility, and decentralization.


Scarce talent, wrong skills

It is tempting to attack security roadblocks by doubling down on the lessons of DevOps. Embedding security professionals into engineering teams to provide direct support when needed could reduce the need for security interactions, at least in theory. Unfortunately, most security teams lack the capacity to try this. A typical Fortune 500 company might have hundreds of ongoing technology projects but only a small handful of security professionals (or none at all) devoted to the specific domains of security where expertise is required (e.g., application security, cloud security, data security, etc.). Further, the capacity of those security practitioners who are available tends to be strained by other, more immediate, threats to the environment. Finally, for those organizations with an appetite to hire, the required security skills simply might not be available in the market. Readers who have tried to hire a cloud security architect in the past several years have no doubt experienced this.


Invisible clouds

The term “shadow IT” has historically referred to business technology usage at the team or department level, outside the control of enterprise IT. While shadow IT may be difficult to spot in the on-prem environment, it is virtually impossible to identify in the cloud. Anyone with a credit card can create a cloud account, upload company data, and rapidly scale cloud resource usage without any oversight at all. Security teams simply cannot monitor what they cannot see. The issue is further exacerbated in cases where teams are performing software development in the cloud. Besides the security of the cloud assets themselves (e.g., the storage buckets, test servers, etc.), the insecure outputs of the development process can quickly and easily be mass deployed with a few keystrokes by an errant developer. Thus, a single individual can completely change the attack surface of an enterprise without the security team even knowing that there was the potential for risk in the first place.


Distributed control

Enterprise security policies often lag the technology that they are intended to govern. Further behind are the enforcement mechanisms that are expected to monitor compliance. So, new technology in the enterprise is often unaccompanied by clear rules for acceptable usage or appropriate enforcement mechanisms to ensure the rules are followed. Further, in cases where policies have been drafted for new technologies, the technologies themselves may defy enforcement. Such is the case with cloud where the account owner, whoever that might be, is the one who sets policies for all the assets under the account. Thus, even in cases where security is aware of an instance of cloud usage, they may have little or no control over how those resources are consumed.


Security automation - the enabler of transformation

Automation can transform security into an enabler for emerging technology by simultaneously addressing each of these challenges while also controlling cyber risk effectively. While SecDevOps concepts have tried to effectively manage risk for DevOps teams when deploying new technologies, there is no industry-standard methodology informing teams how to integrate them. So, when architecting security for integration with new technologies, it helps to consider a structure that aligns with the types of activities that DevOps teams will perform.

In a series of future articles, the automated security controls that can effectively support each category of activities will be examined in detail. We will examine the challenges for security with each category of technology development activities listed above. We will also provide lessons learned and describe recommended approaches to overcome identified challenges.

[1] https://devops.com/the-origins-of-devops-whats-in-a-name/

[2] https://about.gitlab.com/developer-survey/ [3] SANS, Australian Cyber Conference: Exploring the DevOps Toolchain, 2018:https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/bltf9dc689ee95dd752/5e320e658f7e217daef67590/continuous-security-exploring-the-devops-toolchain.pdf