Security Think Tank: Automation is good, assumptions are bad

What is the best approach to automating information security?

Technology, even as far back as the agricultural revolution, is designed to make humans’ lives easier or better in some way. A large proportion of technologies are therefore dedicated to repeating manual processes, that is, automation.

Information technology is no different. When computers were first networked together, it was quickly realised that routing between multiple computers caused the processors to slow down, and so the first dedicated routing machines were created by Cisco. These so-called “routers” became the backbone of the internet, some quite literally.

As each new development in computing comes about, repetitive processes which require regular application are handled perfectly by dumb machines. Firewalls applying rules, virtual private networks (VPNs) creating secure connections, even log management platforms collecting logs and displaying them on a screen require little manual intervention. 

There is some setup required, of course, but this has always been the case – even the horse-drawn plough needed a human to attach the plough to the horse and set the horse off on the right furrow.

The worst mistake that can be made with a tool is not examining the requirement for it in the first place. To continue an already laboured analogy, consider the cattle farmer who has heard that horse-drawn ploughs are amazing tools, and have increased his neighbour’s turnover (pun intended) by a factor of 10. 

The cattle farmer invests in an incredible new machine, only to find his cows are not interested, do not produce more milk, and if anything are slightly put off by this sharp item they now have to share a field with. Conclusion: plough ends up in shed, expensively unused.

This rather simplified example is repeated across modern businesses on a worryingly regular basis. Requirements are assumed, risks are not quantified, benefits are not expressed in the correct way.

Automation can be a boon to business, of course, but only where it will make a difference. Another example, now in the 21st century, is big data. Investments in big data are... well, big.

Companies are investing sums of as much as $80m per deployment, without any clear strategy or reasoning as to why. It is known that big data can spot trends in data, use metadata that humans cannot see and process huge amounts of it in short periods. 

It is known that spotting trends in company data can show areas where new developments might come in useful. It is even known that big data shows up unexpected results, which could never have been planned for. What is not known, however, is how big data can ever show a return on investment where no return has ever been expected or planned for.

All programmes and projects need a few key things – executive support, governance, management and, finally, when all of that is in place, technology. From the very top, this requires a vision, a goal to reach, channelled into a project or programme with the guiding principles of an organisation, to avoid waste and create alignment. 

When all of the requirements of this goal are known and articulated, common sense needs to be applied to choosing a tool.

It is assumed that, in spite of the benefits of using automated tools, security process automation is still not widely used in business. This assumes that:

  1. The security tools being used already are not automating a process at a level we aren’t thinking about;
  2. The security processes we are focusing on need to be automated.

Think of the identity and access management (IAM) space for a moment. There are processes in a number of large organisations that are still performed manually: provisioning of accounts, starters, leavers and movers processes, and reconciliation. We look at these and think that we are failing if they are not automated to the Nth degree. 

However, look a bit deeper and think what is automated – collection and management of the identity: just because Microsoft Active Directory has been around for nearly 40 years now in one form or another, doesn’t mean it doesn’t do an incredible job. Quite the opposite, in fact – it does an incredible job, and that's why it’s been around for 40 years:

  • Authentication of users – a person doing that on a daily basis would still be verifying identities at the end of the day; 
  • Authorisation of users – complex management of each user would simply not be possible without automation. 

We take it for granted because we use it every day, but just because it is convenient, doesn’t mean it isn’t there.

The processes we build on top, provisioning, simultaneous localisation and mapping (SLAM), reconciliation, and so on, are exposed as a result of automation. Just as routers and firewalls have management processes around them, so IAM does, it is just a little less developed and embedded in organisations at this stage.

Automation, in itself, is a process which needs careful management. There does not need to be any hurry to automate, just choosing the correct time and manner of doing so – otherwise you may end up with another expensive plough in your cattle field.

Robert Newby is an analyst and managing partner at KuppingerCole UK.

Read more on IT risk management