Practical security for the hybrid agency starts with intent
- By Matt Harter
- Mar 04, 2019
The world of cybersecurity has its fair share of challenges. Malware is growing increasingly sophisticated, cyber criminals are executing attacks with increased frequency and an epidemic of complexity has overtaken IT infrastructures. But, as troublesome as these developments are, cybersecurity’s greatest challenge is this: While business and development departments have undergone fundamental process re-engineering over the last decade that has made them dramatically more responsive and agile, security has made, at best, only incremental process improvements.
Why is this such an important issue? Because the adoption of agile and DevOps initiatives has dramatically improved the speed and quality of application development, security still relies on manual processes that just can’t keep up. As a result, many government agencies prioritize speed over security, which introduces significant security and compliance risks -- chief among them is poor policy management.
Attempting to keep security policies up-to-date and effectively enforced in this new world is a massive challenge -- one that is exacerbated by the emergence of the “hybrid agency.” Policy enforcement was much easier when it was confined to a handful of devices and rules at the network perimeter. But, today, agencies are leveraging next-gen technologies, such as cloud computing, virtualization, software-defined networking, micro-segmentation, containers, etc., to make programs and initiatives more effective and efficient. While these technologies bring tremendous value, they have also obliterated conventional notions of the perimeter and created a massively diverse, distributed and constantly changing IT environment. This combination has introduced enormous complexity while causing the number of firewall rules to skyrocket.
From the security practitioner's point of view, the rules explosion, coupled with manual rule development processes, has resulted in several significant hurdles:
- Poor policy hygiene has become the norm, with organizations battling a chaotic mess of rules that are outdated, unused, redundant and out-of-compliance. Security policies, which are meant to mitigate risk, actually introduce it through security and compliance gaps.
- Organizations lack agility and efficiency, as manual processes impose a time penalty on application developers and owners, as well as the users of those applications. This is the source of the friction between developers -- who are rewarded for enabling the business -- and security teams, which need to slow things down to ensure policy compliance.
- Firewall administrators have become “access administrators,” spending most of their work hours developing and managing access rules rather than administering a strategic security function.
To overcome these challenges, there must be a fundamental change in security processes that eliminates the barriers between security and DevOps and enables security to move at the speed of business while mastering policy management across hybrid environments. Fortunately, this new model exists: it’s called intent-based security.
What is intent-based security?
At a high level, intent-based security enables security professionals to create and implement rules templates that translate system intent into policy enforcement. Before getting into specifics, though, it’s important to understand what is meant by “intent.”
Every system has a business intent. For example, the business intent of a customer relationship management system in the government is to give agencies a way to effectively manage constituent services and vendor relationships. Security intent goes hand-in-hand with business intent. With the CRM system, the security intent is to enforce policies around protecting taxpayer data to comply with regulations and prevent data breaches, while still allowing agency staff the access required to do their jobs. Fundamentally, this means implementing rules that reflect and enforce those security policies.
Marrying security intent with business intent, however, has been an elusive goal, because business, DevOps and security teams have traditionally worked in isolation. The intent-based security model effectively bridges the traditional gap between business, DevOps and security by enabling non-security personnel to determine the business intent of applications and security personnel to define the security intent (compliance and best practices). It then unites the two so that the actual firewall policy changes can be fully automated and meet both business and security requirements.
In other words, the security team sets the parameters for implementation based on the intent of the application or system, and DevOps implements it as part of its process -- making DevSecOps a reality. To break it down one step further, when security professionals understand the business intent of an application, they can create pre-approved rules templates that translate intent into policy enforcement. Rules can be automatically generated and applied to any new DevOps deployment directly by application owners and line-of-business leaders, giving them the ability to implement security on a “self-serve” basis. And the manual rules-writing process becomes a thing of the past.
How can agencies implement intent-based security? The answer lies in five core building blocks:
- Control automation - Automatically computes the correct policy based on security intent. Security professionals move from being access administrators to establishing security policies tied to specific assets and resources, with technology automatically generating the appropriate rules.
- Intent translation - Translates security intent into network policies and automatically enforces them. Translation takes into account specific compliance, business and security requirements when implementing the appropriate network policies.
- Monitoring and detection - Actively monitors the network security and compliance state and detects changes in real-time.
- Automated remediation - Automates corrective measures when security or compliance drifts, ensuring a state of continuous compliance.
- Orchestration - Coordinates change processes across hybrid environments, which plays a key role in agencies' ability to fully exploit the cloud in a secure way
Security process re-engineering is long overdue, but the good news is that it is possible today with technologies that enable intent-based security. By creating a layer of abstraction that enables non-security personnel to implement the right rules -- and automating the management of those rules -- intent-based security not only simplifies policy management across hybrid environments, but it enables security teams to turn their relationship with DevOps from adversarial to collaborative. Once this happens, a new DevSecOps model emerges where security, finally, can keep up with the pace of DevOps.
Matt Harter is VP of product engineering at FireMon.