The Nexus of Forces has introduced a Nexus of Danger, and security pros must face it head on through security automation.
Large enterprises have a lot of systems to secure. Some are legacy ancients operating on long-forgotten and undocumented magic. Others are merely middle aged, quietly thumping along and getting the job done with patches on top of their patches. Still others are brand-spanking new, bleeding-edge cloud and application platforms that carry the promise of doing things that may not have even been invented yet. And now, enterprise security practitioners are freshly challenged with a new confluence of technologies — Gartner calls it the “Nexus of Forces” — the convergence of mobile, social, and cloud.
Every enterprise has multiple generations of information technologies, each with security vulnerabilities that have yet to be addressed. Some vulnerabilities are inherently unavoidable, some can’t be addressed with existing technology, and a disturbing number are simply ignored. However, they all create opportunity for attackers seeking to exploit information and computing resources.
Enterprise information systems are multi-generational, disparate, complex, and yet deeply interconnected, communicating with one another on many levels to create sophisticated systems that turn information technology investments into business value. With these complex interactions comes additional risk, with vulnerabilities in one system exposing adjacent systems. The weakest link in these complex system chains can, and often do, compromise entire business functions. Complex interactions and complex systems beget complex vulnerabilities, the permutations resulting in millions upon millions of potential weaknesses ready to be discovered and exploited by ever more sophisticated attackers.
The issue of securing multiple generations of technologies is a huge challenge since they differ wildly, and younger generations, in particular, are more dynamic, distributed, and fast-moving. Merging technologies across generations exacerbates the job of mitigating exposures and protecting machine-to-machine and human-to-machine interactions. More skill sets, more specialists, more man hours, none of which are easy to procure.
The Nexus of Forces, combined with complex legacy systems, leads us to a Nexus of Danger — growing threat actors, a growing number of more dynamic environments, faster-moving computing models, staffing challenges, massive distribution of data and other assets. To the security practitioner, this new reality is overwhelming. So how can security professionals make meaningful progress in handling this new reality?
In a word: Automate.
Many I.T. delivery domains – software development, infrastructure management, application deployment – have already adopted deep automation to drive scale and speed. But because security has been mired in a perimeter-oriented mentality for decades, the need for automation really hasn’t been addressed effectively.
But in the past five years, innovative tools have been created that allow information security organizations to implement the same levels of automation and abstraction as their information technology counterparts. These technologies are capable of operating anywhere, at any scale, on demand. For enterprise security teams, this means less time spent on menial but necessary tasks, and more time spent on high-value human activities and keeping abreast of change. People are often the most critical of leaning too heavily on technical resources, but that’s because they forget that automation is what allows their human skills to scale. And in the environment security professionals operate within today, gaining that scale is critical.
So, what are the consequences of not automating security? Your people will be overworked and overwhelmed. Things will get missed. Mistakes will get made. It’s only natural. And eventually, the attackers will come. And what are the consequences then?
Feeling worried? Not surprising. Anyone responsible for security in a large, complex organization should be. The Nexus of Danger is converging, and there’s no way your team can keep up, even if you got all the budget and staff you asked for (which will never happen).
You have to develop dramatic new scale in your security operations, and the only way to accomplish that is through automation. It’s time to get serious about security automation, or suffer the consequences.
If you’re asking yourself the “what, why and how” around security automation, Forrester has published an independent report on the challenges, drivers and approaches to this problem in the context of cloud-based application infrastructure. It can be seen here, and the title contains a phrase that says it all: automate or die.