- The best early October Prime Day 2024 deals to shop now
- Getting Out in Front of Post-Quantum Threats with Crypto Agility
- Google Chrome just made it even easier to use passkeys across all your devices
- Re-Imagining Zero Trust With an In-Office Experience, Everywhere
- More ads are coming to YouTube - this time to your pause screen
Security Automation – As Easy As Making Tea?
I worry that a lot of my blog posts reveal that I’m getting older and older as the days go by, but I wanted to talk about teasmades and security automation.
For those of you outside of the UK, and even those born in the UK within the past 30 years, there’s a distinct possibility you may read this and consider it to be a made-up word, but there is indeed such a thing as a teasmade – effectively a small machine for making tea that has a timer on it. You might yet be puzzled about why I’m bringing it up in the context of security, but stick with me whilst I explain.
The parallels
As hard as it might be to believe, there are, in fact, several parallels between security and the teasmade:
- Achieving a good cup of tea is an art form of a sort: simple in concept but with a surprising amount of nuance.
- The setup for automation of a cup of tea in the morning might require more effort than you’d think for something that is meant to simplify your life.
- Sometimes, a cup of tea made by hand is better than a cup of tea made automatically.
Now, let’s do a quick find and replace for “a cup of tea” and “security.”
Achieving good security is an art form of a sort
Lest you think there’s only one way to make tea (and many Brits like me would argue in favour of this), there are, in fact, a great number of ways to brew a pot – people write books about it! Unfortunately, the same is very much true for security automation, as whilst there are some best practices, what makes for a good solution in one environment may not work in another.
Whether it’s Group Policy configuration, Ansible deployments, virtual machine templates, or post deployment hardening scripts, there are a lot of options for your automation – and choosing the right one for you isn’t as simple as plugging in the right teasmade or right tool – it requires careful design.
The setup for automation of your security might require more effort than you’d think
When the teasmade was widely available, people accepted that the steeped tea probably wasn’t the best tea they ever had, but they were excited about it being there, automatically, when they woke up in the morning. However, automated tea still requires some level of effort. And so too does a security automation solution – there’s a lot of initial setup work to make it viable, as well as effort to keep on top of its needs, be it agent updates or customisation for your network.
With this in mind, it’s also important to consider your team’s skills. Whether it’s best to build scripts by scratch or leverage pre-written options may dictate what’s best to automate and where to focus your training efforts. If you can bring together the right processes and ingredients that you know will work well together, you’ll be able to automate more effectively, and you will appreciate the level of effort automation needs to be useful.
Sometimes, a cup of tea by hand is better than a cup of tea made automatically
I love automation – I want things done for me whenever they can be. But sometimes, there’s a lot to be gained by spending the time brewing the tea myself and developing the ritual of carefully selecting the right ingredients, brew time, temperature, drinking vessel, etc. You could trivialise those decisions, but they do matter and they will impact the end result. I want everyone to think about security in a similar way – I want them to think it’s easy to do, but I want them to think that the simple thing has some assumptions that sometimes we should revisit. We can’t just assume the right security control is in place because we have automation or that the control is correct for every situation, just like I wouldn’t assume that every cup of tea will turn out the same if I just let it brew for the same amount of time (especially if I don’t control for other variables).
When you’re automating, you’ll want to measure things out, experiment in a test environment, and make sure you’ve accounted for as many variables as you possibly can. You’ll want to build the test cases thoroughly and have a tight feedback loop that helps to ensure you end up with a solid result, one you can recreate consistently because you understand each of the components.
It’s important to note that I’m not suggesting you should be manually implementing each of your security controls one by one on each and every host or instance you deploy. But you most definitely should be considering how you handle exceptions to the security procedure or processes that require new security workflows that “break” the automation cycle. For example, knowing how to revert the configuration change in the event of an issue or a new requirement cropping up.
The right cup of tea… for you?
All of this is to say… I’m actually a coffee drinker 99% of the time, and I mainly make tea for friends and family. But I have drank and definitely know a good tea when I taste it. For your security automation investments, there’s a need to be a “conscious tea drinker” – it doesn’t have to be your favourite drink (or solution) when you could have a coffee (or buy a fancy new server for something other than security), but you need to be competent in creating a good, balanced cup of tea – just like you need to be good at building a good, balanced security automation service within your business.
