Are security operations the weak link in the DevOps chain?
Thu 7 Apr 2016
In conjunction with Red Hat, The Stack’s security editor Richard Morrell will be at Cloud Security Expo at London’s ExCel centre next week to record more episodes of his highly popular podcast series Locked Down. Richard will be speaking with a host of the most interesting figures on the cloud security scene, and you’ll be able to catch up with the interviews here at The Stack, as well as on iTunes, Player.fm, SoundCloud or your podcast player of choice. But it’s not too early to ask an important question…
There are a number of reasons why security operations fail to grow and adapt to the increasing complexity of their host organisations, and they’re all addressable – but only if there’s will within the company. Too often the problem becomes institutional, and it takes a disaster for the necessary attention and resources to be allocated.
The growth and development of an organisation’s security operations should ideally match the undulating hills of the company’s own growth, as it adopts new frameworks and outsourcing systems – shadowed at every step by corresponding new routines and oversight by sec-ops.
Back in the real world, many organisations leveraging new global resources are still pinning their reputations on security models that are fifteen years out of date. No longer is it enough to send staff to industry-accredited security courses to pile up requisite certificate points, as if the periphery of the enterprise was still defined by a single firewall rule-set, a group of leased lines and the need to manage the occasional remote road warrior. Yes, it was nice – but it’s over.
Security operations staff are required to protect both the architecture and the data flowing through it, but too often live at odds with the new development initiatives which are driving the enterprise forward. If it’s too much to hope that the organisation’s innovative new work-flows and apps will factor in security before their worth is even proven – and yes , it is a lot to hope for – it is reasonable that smart working could make this traditionally tense alliance more resilient and reactive.
Traditional endpoint security was defined by the marriage of architecture and asset-protection both within and beyond the network firewall perimeter. But the evolution of outsourced IT means that security operations are now required to protect the reputation and contractual bargaining hand of their host organisations with external, cloud-based vendors.
Besides the engineering of services and frameworks within service-level agreements, the department also has to consider the exposure of assets via provisioned services and applications across multiple providers in the hybrid and public cloud. The outlying nodes in such a distributed operation can seem a very long way away from the traditional purview of sec-ops; and that’s assuming that sec-ops ever got a memo about them.
Out of range
Eventually an enterprise’s distributed and semi-outsourced work-flow is likely to cross over at several points between the public and private cloud, and to intersect with agile development frameworks and tools. In this intersection, there’s a lot of false comfort to be had, because its mutability has already taken it into existing risk registers, and it has fallen under the protection of appliances and rules.
However some of the worst security risks are too far down the chain to be on any of these comforting lists of ‘known’ hazards: something as simple as an accidentally-introduced vulnerability at the provisioning or development tier; incorrectly-applied permissions; or a library or tool that’s utilising a vulnerable binary or application that is beyond the tracking capability of security operations staff or tools.
Therefore it’s not enough to rely on the standards of traditional vulnerability scanning found in so many operations, and on the usage of third-party UTM devices and after-market technologies – unless an organisation wants to be the first to get the exploit on the register.
But is there the organisational will to redefine security operations into a more proactive and less reactionary force in organisational asset-protection?
At next week’s Cloud Security show at the ExCel I’ll be interviewing many of the movers and shakers in our industry and posing this and other questions to them. You’ll be able to find out the answers both in my column at The Stack and in the podcasts from Cloud Security. Be sure to tune in – I’m not taking any prisoners.