The Equifax example: Bridging the gap between Security and DevOps
Mon 25 Sep 2017
If you are a security type you couldn’t help but witness the recent calling out of Equifax’s CISO, Susan Maudlin, and her subsequent departure alongside the company’s CIO. While their parting was procedural and indeed predictable, there is a school of thought that says this was simply a knee-jerk reaction to shore up a tanking share price and a reputational hit unsurpassed since the days of Enron, and potentially even now dwarfing the VW exhaust emission scandal.
Whether Equifax can recover from this in the long-term is still to be seen. An international corporation with substantial cash reserves and resources puts it in a far better position to attempt a turnaround than many.
However, the ongoing fallout and the frankly appalling PR capability hasn’t helped and demonstrates that the damage limitation exercise at Equifax is still very much in its infancy, and a project that one would hope stabilises.
As both a security professional and a security commentator, I have a foot in two distinct camps. One to tell the story accurately and the other to point out a salient security reality. A reality where the scorn and fury pointed at Equifax could be better harnessed as a wake-up call to every company on the planet to realise that there is a substantial and very real gap emerging that cannot be ignored.
For every major organisation where the IT department comprises of engineering, operational IT, developers, and potentially program managers, the shortfall is in security where an insufficient headcount bridges the gap between risk and stability. The gap between developers and security personnel has never been bigger. Traditional change control is still not aligned with today’s need for continuous integration and continuous development environments.
While many DevOps and Agile teams have been allowed by weak management to build scrums and motor on with few security controls and security interconnects, my suggestion is to reboot basic thinking.
Security and DevOps
CISOs in many FTSE100 companies are trying to hire to fill the gap between typical enshrined security operations and DevOps, but this is becoming increasingly difficult
Many security professionals struggle hugely to communicate on a daily basis with the fast-moving needs of developers and operations staff who now need to get an application or service from the test development environment to live faster than ever before. Security teams are not experts in what typical Open Source libraries are needed for the safe and secure running of a specific web server or application stack. They also don’t tend to have Python, Ruby or Java skills and rely on the developer to have taken care of how an application utilises underlying resources or privileges. This is exactly where the wheels fall off.
The quality and capabilities of security professionals vary by vertical, dependent entirely on the needs of the businesses. Banks and FinTech organisations, for example, generally attract security experts who also understand governance and inter-organisational pain.
Security certifications are partly to blame for the chasm. Many of the standard examinations and security courses do not provide the fast emerging skills needed for cloud, containers and automation. Instead, they provide the overarching security baseline capability without which we wouldn’t be able to provision our platforms or build controls around data, authentication, network hardening and asset protection. The role of the CISO in this food chain is to provide overall ownership, guidance, steering, air cover and mentoring to their security teams and a reporting responsibility to the parent business.
CISOs in many FTSE100 companies are trying to hire to fill the gap between typical enshrined security operations and DevOps, but this is becoming increasingly difficult.
The inability of developers to understand the need for ‘misuse cases’ is important as a justification for a change control. Instead, we are seeing the retrofitting of behavioural practices into a live operational platform – an activity that becomes much harder to track, own and evolve if an organisation has burst out to the public or hybrid cloud. Not your usual security triage, more a plaster on a gaping wound, but sadly all too typical in most IT departments where security is a scarce resource.
Throwing stones at glass houses
For those pointing at Equifax. An entire multimillion pound transactional, multi-territory IT platform that handles close to two billion queries a day, securely, had a minor breach. A minor breach caused by an oversight – the gap between operational security and developers and applications team.
It is a minor breach that will be remembered for a decade to come. It destroyed trust and confidence and caused institutional shareholders to sell off stock in the subsequent fire sale.
Nothing caught fire on the platform apart from the reputation and share price of the host company. The CIO and CISO will also be out of work for a long time, tarnished by the public perception of the handling of this outage and the loss of confidence caused by weak governance and poor leadership. It goes further than this too. Would you employ someone now who cited Equifax security on their resume anytime in the next six months or so? An entire global team marred by a simple gap in understanding business need.
If you read this article and think it couldn’t happen to you, then you are in a tiny minority of operational IT staff who knows every line of source code, every API call, every behavioural aspect of your infrastructure and you sleep at night content that you’re secure. I certainly don’t know anybody who sits in that camp.