Practical security for the hybrid agency starts with intent

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Matt Harter
 

Connecting state and local government leaders

By Matt Harter

|

By enabling non-security personnel to implement the right rules, intent-based security not only simplifies policy management across hybrid environments, but it also drives a collaborative DevSecOps culture.

The world of cybersecurity has its fair share of challenges. Malware is growing increasingly sophisticated, cyber criminals are executing attacks with increased frequency and an epidemic of complexity has overtaken IT infrastructures. But, as troublesome as these developments are, cybersecurity’s greatest challenge is this: While business and development departments have undergone fundamental process re-engineering over the last decade that has made them dramatically more responsive and agile, security has made, at best, only incremental process improvements.

Why is this such an important issue? Because the adoption of agile and DevOps initiatives has dramatically improved the speed and quality of application development, security still relies on manual processes that just can’t keep up. As a result, many government agencies prioritize speed over security, which introduces significant security and compliance risks -- chief among them is poor policy management.

Attempting to keep security policies up-to-date and effectively enforced in this new world is a massive challenge -- one that is exacerbated by the emergence of the “hybrid agency.” Policy enforcement was much easier when it was confined to a handful of devices and rules at the network perimeter. But, today, agencies are leveraging next-gen technologies, such as cloud computing, virtualization, software-defined networking, micro-segmentation, containers, etc., to make programs and initiatives more effective and efficient. While these technologies bring tremendous value, they have also obliterated conventional notions of the perimeter and created a massively diverse, distributed and constantly changing IT environment. This combination has introduced enormous complexity while causing the number of firewall rules to skyrocket.

From the security practitioner's point of view, the rules explosion, coupled with manual rule development processes, has resulted in several significant hurdles:

  • Poor policy hygiene has become the norm, with organizations battling a chaotic mess of rules that are outdated, unused, redundant and out-of-compliance. Security policies, which are meant to mitigate risk, actually introduce it through security and compliance gaps.
  • Organizations lack agility and efficiency, as manual processes impose a time penalty on application developers and owners, as well as the users of those applications. This is the source of the friction between developers -- who are rewarded for enabling the business -- and security teams, which need to slow things down to ensure policy compliance.
  • Firewall administrators have become “access administrators,” spending most of their work hours developing and managing access rules rather than administering a strategic security function.

To overcome these challenges, there must be a fundamental change in security processes that eliminates the barriers between security and DevOps and enables security to move at the speed of business while mastering policy management across hybrid environments. Fortunately, this new model exists: it’s called intent-based security.

What is intent-based security?

At a high level, intent-based security enables security professionals to create and implement rules templates that translate system intent into policy enforcement. Before getting into specifics, though, it’s important to understand what is meant by “intent.”

Every system has a business intent. For example, the business intent of a customer relationship management system in the government is to give agencies a way to effectively manage constituent services and vendor relationships. Security intent goes hand-in-hand with business intent. With the CRM system, the security intent is to enforce policies around protecting taxpayer data to comply with regulations and prevent data breaches, while still allowing agency staff the access required to do their jobs. Fundamentally, this means implementing rules that reflect and enforce those security policies.

Marrying security intent with business intent, however, has been an elusive goal, because business, DevOps and security teams have traditionally worked in isolation. The intent-based security model effectively bridges the traditional gap between business, DevOps and security by enabling non-security personnel to determine the business intent of applications and security personnel to define the security intent (compliance and best practices). It then unites the two so that the actual firewall policy changes can be fully automated and meet both business and security requirements.

In other words, the security team sets the parameters for implementation based on the intent of the application or system, and DevOps implements it as part of its process -- making DevSecOps a reality. To break it down one step further, when security professionals understand the business intent of an application, they can create pre-approved rules templates that translate intent into policy enforcement. Rules can be automatically generated and applied to any new DevOps deployment directly by application owners and line-of-business leaders, giving them the ability to implement security on a “self-serve” basis. And the manual rules-writing process becomes a thing of the past.

How can agencies implement intent-based security? The answer lies in five core building blocks:

  1. Control automation - Automatically computes the correct policy based on security intent. Security professionals move from being access administrators to establishing security policies tied to specific assets and resources, with technology automatically generating the appropriate rules.
  2. Intent translation - Translates security intent into network policies and automatically enforces them. Translation takes into account specific compliance, business and security requirements when implementing the appropriate network policies.
  3. Monitoring and detection - Actively monitors the network security and compliance state and detects changes in real-time.
  4. Automated remediation - Automates corrective measures when security or compliance drifts, ensuring a state of continuous compliance.
  5. Orchestration - Coordinates change processes across hybrid environments, which plays a key role in agencies' ability to fully exploit the cloud in a secure way

Security process re-engineering is long overdue, but the good news is that it is possible today with technologies that enable intent-based security. By creating a layer of abstraction that enables non-security personnel to implement the right rules -- and automating the management of those rules -- intent-based security not only simplifies policy management across hybrid environments, but it enables security teams to turn their relationship with DevOps from adversarial to collaborative. Once this happens, a new DevSecOps model emerges where security, finally, can keep up with the pace of DevOps.

NEXT STORY: How automated compliance audits speed development

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.