Your engineering team is one of your organization’s greatest assets. But it can also be your greatest liability.
As most security experts know, the biggest cybersecurity risk to your business is your own employees. In fact, ninety-five percent (95%) of all security attacks in 2014 involved human error, according to a study by IBM. But “human error” does not just include email phishing scams and lost cellphones; any time an employee performs manual work on your infrastructure is an opportunity for security exposure.
For example, twelve percent (12%) of security attacks are a result of failure to keep known vulnerabilities patched. Keep in mind that these are vulnerabilities that your engineers know about and have patched before, but can simply forget to update on a new server. Your team’s inability to launch infrastructure from templates and run automated tests — for things like SQL injection or for known weaknesses like Heartbleed — virtually guarantees that vulnerabilities will slip through the cracks.
The answer? Automate cloud management and testing. Reduce the likelihood that human error can expose your infrastructure to attack.
The goal of cloud automation is to create repeatable, “perfect” templates of your environment build-out, from spinning up a virtual server instance to bootstrapping OS configurations and deploying into production. (We discuss this automated process in detail here.) In fact, migrating to the cloud provides a critical opportunity to improve your security posture by increasing the number of processes that can be automated and providing tools to facilitate infrastructure automation.
Cloud automation has the potential to solve several security challenges:
- Automation significantly reduces the opportunities for your engineers to make manual cloud security errors. When your new server instance is built from a well-tested template, there is zero chance for your engineer to create a private VPC that is not locked down to internet traffic. Tool: AWS CloudFormation
- Automation significantly reduces customization; when different environments are built by different engineers at different times, it makes it difficult to gauge the impact of a feature change on security. Automation decreases the risk of unexpected security implications of any future updates. Tool: AWS CloudFormation, Puppet (or any configuration management tool like Ansible, Salt, etc.)
- Automation ensures that historical vulnerabilities continue to be patched. When another zero-day vulnerability like Heartbleed occurs, you patch SSL (or the affected package) once in a single configuration script and therefore guarantee that every instance known by the Master receives the latest version. Tool: Puppet
- Automated testing, a standard part of any automated deployment pipeline, can be used to both decrease the likelihood of unintended downtime and expose potential security risks. Tool: Jenkins, AWS CodeDeploy, automated testing frameworks
- Automation ensures that all changes to your environment are documented and version-controlled. You will not only know who did what (which monitoring could tell you), but you can instantly rollback to an earlier version of your infrastructure in the case of error. Tool: AWS CloudFormation, Puppet, AWS CodeDeploy
Ad hoc manual work is risk, and automation is designed to reduce risk. But this does not mean your cloud will “run itself”; after all, highly-skilled engineers are required to maintain those templates and scripts. Cloud automation merely changes the nature of infrastructure maintenance work from using the console or CLI manually to writing scripts. Rather than doing the same task over and over again, your systems engineers can patch it once and move on to more important things, like supporting product releases.
Despite common perceptions, you do not need to have greenfield apps to achieve automated infrastructure. The vast majority of what was outlined above can be achieved with any monolithic application. However, you do need engineers with very specialized skills that understand the security implications of cloud automation. At a time when the average enterprise security incident costs can cost nearly $3.79 million and the government is threatening increased fines for leaked data, finding this team — or outsourcing this work — will be the best cloud security decision you make in 2016.
Logicworks is an enterprise cloud automation and managed services provider with 22+ years of experience transforming enterprise IT. Contact us to learn more about our managed cloud solutions.