How SREs and Automation Can Save Your Security Infrastructure
Fail fast, fail often. Survival depends on not only becoming a software company but leveraging DevOps so that your organization has followed Netflix’s, Google’s and other tech giants leads by deploying software updates and features across a multitude of platforms several times during the day. But in what has become a mad rush to rely on a multitude of tools and platforms, including, of course, microservices and Kubernetes for a distributed framework to deploy faster and faster, many organizations are increasingly learning the hard that many unforeseen challenges can get in the way of faster deployment cycles.
One of the main caveats is how the push-to-deploy at increasingly aggressive speeds can lead to, among other things, glaring infrastructure problems and security holes.
In other words, there’s been such an industry-wide emphasis on the shift-to-the-left in software produce pipelines that the right end of the production pipeline, such as infrastructure and operations management, has gotten short shrift, SaltStack chief technology officer and founder Thomas S. Hatch said.
“The industry as a whole has focused so heavily on empowering developers to deploy code that the actual maintenance of these systems has been neglected. And the whole Kubernetes movement has tried to wave this flag of ‘you’ve got Kubernetes now and so you don’t need to maintain these systems like you used to,’” Hatch said. “But that’s bogus, because there are more servers and systems that are deployed than ever before. It just happens that the systems that are being deployed are not being managed [properly] through the perspective of application deployment.”
As mentioned above, IT infrastructure security and management is thus increasingly lacking, Hatch said. “I feel that is part of the reason why there are so many breaches now and why there are so many more known issues in the wild — and why it’s just increasingly common for these new systems to be hacked,” Hatch said.
A knee-jerk reaction to fix to what ails infrastructure is often to throw more resources at the problem. It is easy to hire more security staff, for example, based on the idea that more manpower will simply be able to focus more on patching and making sure code is secure throughout the entire production pipeline.
However, simply adding more manpower is far from enough to make up for what has become massive amounts of technical debt many organizations have amassed and are increasingly finding impossible to resolve. Only through making the cultural shift by empowering the system reliability engineers (SREs) and automating both security detection and remediation can DevOps reasonably protect their infrastructure, Patch said.
“As we look at how data centers are being managed right now, the whole SRE philosophy has become much more important — being able to look at an infrastructure entirely through the automation of the maintenance of that infrastructure is incredibly critical,” Hatch said. “And so, this is the big gap that we see SRE teams dealing with today: the gap between security operations and automating the actual deployment.”
Culturally, development and security teams too often “function with such fundamentally different scripts,” Hatch said. “But they’re trying to accomplish the same thing: an infrastructure that is up and an infrastructure that is secure,” Hatch said. “But because of the scale of systems that these teams have to manage is so much higher than it used to be — which is one of the main things that make the whole SRE movement important — they have to have automation to a granular level provided to them beforehand. They can’t go into these situations and say, ‘I’ve got to build all of the automation around securing my infrastructure,’ because there just isn’t enough time given, given the scale that they need to operate at.”
This is where automation plays a particularly important role. “The main premise is we’re trying to take in enabling SREs by providing automation and the workflows that bring these teams together that help you fulfill your job and help you actually deliver that secure infrastructure,” Hatch said. “This is something that we’re just seeing out there right now: infrastructures that are not being adequately secured and patched and kept up to date and hardened.”
To support the automation process, SaltStack says it has provided SREs and SecOps teams with the option of automating the discovery and remediation of security vulnerabilities, across multicloud and on-premises infrastructures. Its recently released SaltStack Enterprise 6.1, for example, which allows SREs and SecOps to automate both the vast majority of vulnerability scans as well as the critically important remediation processes — which DevOps teams increasingly just do not have the time to manage.
SaltStack also recently introduced its open source project Plugin Oriented Programming (POP) as the umbrella project for Heist and Umbra that SaltStack also just launched. The releases are intended to help organizations better manage diverse deployments and networks often spread over a combination of on-premises and multicloud infrastructures.
“And we feel strongly that it’s not because of visibility or that the security industry is not showing us where these things are — it is that the automation is not in place, and that we haven’t provided SREs with the tools they need to automate” both security detection remediation, Hatch said.
SaltStack’s new tools should go a long way in filling in the gap, Hatch said.
— BC Gain (@bcamerongain) November 19, 2019
“What happens is some organizations are offering [deployments] at 100 miles an hour, but they’re not doing it with an infrastructure capability that allows them to keep pace,” Sunday said. “And so, capabilities go up, but risk to the organization goes up as well.”
Instead, “companies in this space have the potential of simultaneously allowing you to be faster, better, cheaper and more secure,” Sunday said. “My point is that if you invest in this, it actually will cost you less, and allow you to be fast,” Sunday said.
The ability to deploy a change across 50,000 devices while automating the management of the compliance, security and privacy of your infrastructure is thus possible. “Coming from a CIO perspective, I want to simultaneously improve the capabilities of all stakeholders, reduce the risk for the organization and simultaneously be more cost-effective — that is the holy trifecta,” Sunday said.
Oracle is a sponsor of The New Stack.