5 ways to improve security automation

If you're like every other enterprise today, one headache that never seems to go away is security. There's always some new zero-day vulnerability, competitor data breach, or organization victimized by ransomware. That means development halts for patching and remediation, costing the business time and money. It never ends; these days, it feels like it's only getting worse.

[ Check out the guide to boosting hybrid cloud security and protecting your business. ]

There is no end of articles about security and related products and offerings. This article doesn't cover specific how-to's. A quick Google search will do that for you. Instead, I'll suggest things you need to consider when implementing solutions and how to make them as painless as possible for your users and team members. These suggestions are based on our team's experiences with security at IBM.

1. Standardize everything

As my colleague Sanjeev Kumar Marimekala explains, standards are everything. You can't automate anything if you don't know your end goal. You need to define the golden state that you want your automation to establish and maintain.

The right people with the right skill sets should determine how your enterprise operates going forward. You also need to agree as an enterprise that these standards must be followed by everyone, with no exceptions. Without these agreements, you'll just end up back where you started, with a fragmented environment and snowflake applications everywhere.

Finally, you need to pare down your technology stack. You can't automate and standardize every technology you want to use, so you must decide what's strategic and keep the focus.

[ Check out Red Hat's Portfolio Architecture Center for a wide variety of reference architectures you can use. ]

2. Map the road ahead

Now that you have your standards, establish your final goal. For example, at IBM, we've chosen to build security into the fabric of our infrastructure to make it as invisible and seamless to the end user as possible.

That makes sense for us, but you need to consider what works for your business and your organization, keeping in mind the amount of time and effort you're willing to invest in securing the enterprise. Will you go with a homegrown solution? Rely on a vendor to handle it for you? Implement a mix? Determine which choice is right for you.

One essential part of security automation that you'll likely want to tackle before anything else is monitoring. If you don't know where your issues are, you won't catch critical exposures in your environment and won't know what to prioritize for automation. The bottom line is to automate monitoring your environment, if you do nothing else.

Even if you don't have the time or budget to automate remediation, you can at least target areas for manual fixes. There are many fantastic articles and products around this space (including How we designed observability for a hybrid cloud platform), from basic infrastructure monitoring to code scanning to network vulnerability scanning and more.

[ Implement automation across your organization. Download The automation architect's handbook. ] 

Another thing to keep in mind is transition planning. You won't get all of this done at once, nor should you. As you figure out what areas to target first and focus your automation efforts accordingly, you will undoubtedly face challenges rolling out your new standards and processes to your environment. If you didn't set standards before, you'll be met with resistance from teams with their own priorities and commitments to the business that don't understand why you're trying to change things on them. Ensure your executives are in lockstep with your strategy, so the need and message are communicated clearly to help everyone succeed.

3. Use the right tools for the right job

So you've started rolling out monitoring across your environment, and you're getting a pretty good idea of what you need to tackle first. Now is the time to think about the tools for each job. What tool you choose will depend on various factors unique to you: What will let you move fastest? What will be the most flexible? What will be the most sustainable over time? And, of course, what is the cheapest?

At IBM, we use various tools depending on the situation, but our primary workhorse is Ansible. The modular format has given us a lot of flexibility in our extremely diverse environment, allowing us to adapt automation more easily for technologies that aren't commonly supported by other tools on the market.

[ Download Ansible for DevOps ]

We combine that with several different tools in our ecosystem, such as building security-conscious CI/CD pipelines with tools like Tekton and GitHub, monitoring with Dynatrace and Instana, image scanning, antivirus, access management... the list goes on.

The choices you make about your tools won't always be easy. Try to keep in mind your ecosystem as a whole and choose tools that will integrate well together, or you'll risk wasting time on custom integrations. Companies like Red Hat that offer comprehensive toolsets may be a good place to start, but no one company will provide everything you need.

4. Prepare for success

Finally, you've defined your standards, decided on your toolsets, and from your monitoring, you know what areas to target first. It's time to think about how this all fits together into an end-to-end experience. How do you reach a point where security is completely invisible to your developers and users, and you rarely have to think about patch windows, downtime, or even data breaches again?

This probably won't be too bad if you just have a small presence on a public cloud. The cloud vendor does a lot of the heavy lifting for you. Your teams can leverage the vendor's tools to create a uniform build process for your company, eliminating much of the manual and maintenance work that traditionally goes into security.

However, if you're like IBM or any other enterprise operating in a hybrid cloud, you'll face opportunities and challenges. The possibilities are exciting, such as the ability to fully customize your company's infrastructure and code-deployment process, providing a tailored experience that best fits the needs of your team rather than a one-size-fits-all approach from a vendor or public cloud. Your team also gets to face new challenges, solve interesting problems, and learn various new skills that contribute to their and your organization's growth. That's an important mindset to keep, as there are many challenges you'll face.

[ Create an organizational culture that fosters innovation and keeps teams unified. Download The IT executive's guide to building open teams. ]

As mentioned earlier, you will likely face resistance from development teams that see your changes as unnecessary, especially before you have a full ecosystem and provisioning platform to support them. There are a huge (and growing) number of areas involved with security that you'll need to continuously consider and figure out how to manage behind the scenes as you tie each one together. The transition process will be longer than you (or your executives) would like. How do you hide all of this to create a seamless experience?

5. Know that experience is everything

How you build your user experience around security will depend on the results you want to see and the platforms you choose. For example, if you're using virtual machines (VMs) or bare-metal servers, you'll likely need to create golden images with security built into them, followed by automation to maintain their secure state. You'll need to keep those images secure with an automated pipeline, implement automated testing, decide on cadences for automation to avoid disruption to the business, and wrap it all behind as simple a provisioning platform as possible. You can turn the complexity of everything you're doing behind the scenes into simplicity with abstraction.

The platform isn't the only determining factor. The types of applications you most commonly run can play a role in what security automation you select. Are you creating a lot of web apps? You may want to invest in automatic SSL certificate provisioning. Are you running many databases storing regulated data? Ensure you have encryption built into the platform for data at rest and in transit.

[ Learn how to explain DevOps in plain English ]

There are too many considerations to list here, but I hope you get a better idea of your goal. The more security you've built into your environment and the easier it is to use, the faster your teams can develop and the more value you'll see over the long term.

Finally, it's a good idea to consider what you do want to show the developers and their upline management. What sort of security metrics are important to your organization? How do you measure success? In all likelihood, you'll want easy-to-use views and reports on things like patch levels, known vulnerabilities, and simple actions and automation that teams can use to control when issues are fixed to avoid business disruption (within reason). You must limit the options here to avoid slipping away from your standards again. You may even want to use that data to drive further automation and even artificial intelligence (AI) to resolve issues quickly. The endless security battle means the possibilities are near limitless.

Wrap up

I'll summarize the points I covered:

• Pick your strategic technologies and create standards around them.
• Define what success means for you and roll out monitoring to find your urgent issues.
• Pick the right tools for your organization and the problems you need to solve.
• Start your rollout and begin tying the experience together.
• Obscure all of your hard work behind a seamless experience to drive the business forward.

I hope this has been a helpful read, especially for those struggling with moving forward when the problem seems so large. The lessons we've learned are that you can't do it all at once, so pick your priorities, take things one at a time, and eventually, you'll be able to bring it all together into something new and beautiful. Best of luck on your own journey!

---

This article originally appeared on Hybrid Cloud How-tos and is republished with permission.