The Case for Simple (But Not Too Simple) Automated Environments
Security by design is a core tenet of DevOps Security that even Einstein would appreciate.
There's a saying attributed to Albert Einstein that can be valuable when thinking about building, maintaining, and scaling secure architectures: "Everything should be made as simple as possible, but not simpler."
Security by design is a core tenet of DevOps Security that Einstein would appreciate. Security by design means that software is designed from the ground up to be secure, lest security is bolted on as an afterthought. Simplifying and automating distributed enterprise environments today thus prevents painful complexity tomorrow.
Simplicity is one of the greatest challenges facing any enterprise when designing robust architectures. This is because the very nature of enterprise architecture is complex and bespoke. The enterprise has to continually fight against entropy and simplicity is not straightforward. In the extreme, the vast array of new products, mergers, maintenance of legacy environments and more can lead to...technology sprawl, the bane of every CIO on the planet.
Technology sprawl is often a component of technical debt, the continuing trade-off of simplicity to get product releases online faster at the cost of simple and efficient architecture.
Build Bespoke or Go with Off-The-Shelf Software?
In today's enterprise we love to code. If data is gold, then code is the machinery that allows you to mine the gold (and keep in mind that Levi's made a pretty good business out of selling jeans to miners). But we tend to write more software than is necessary simply because we love to code so much. A trade-off exists between keeping environments simple using off-the-shelf software and building bespoke environments. We have to be careful because each application, and each line of code, is a potential Achilles heal — and a possible security vulnerability or compliance violation.
In the passion to build, we often over-build our infrastructure, lose efficiency and create additional vulnerabilities. You see this a lot with the sheer amount of wasted compute from over-architected environments.
A great example of fighting against that entropy is leveraging platforms such as Mesosphere's DC/OS. We can use platforms such as DC/OS to fight some of the challenges around the waste in enterprise. When orchestration software is used effectively, not only is wasted reduced, but container tools bring simplicity back to the environment. In many cases, you can get a triple win: scale, efficiency and security.
New Context has used this strategy in industrial data environments to help build a stronger deployment platform, while at the same time building stronger security and compliance into the environment. It has allowed us to get greater control of the infrastructure, along with increased flexibility for the engineering team to deploy services. We were able to maintain good visibility and streamline the audit process for compliance.
Applying this thinking to products such as DC/OS is an effective way to clean-up and get control of your architecture, bringing back a helpful level of simplicity.
To unpack this a little further and get into specifics, let's break down automated application security and secrets management in DC/OS.
DC/OS: Tactics and Techniques
Secrets management is one aspect of security complexity that has spiraled out of control at many enterprises. Secrets include certificates, encryption keys, connection strings, credentials, binary files and more. Operators, developers and services themselves need access to secrets in a secure and simple manner.
DC/OS provides a centralized encrypted and access-controlled location for secrets, and a simple and automated way to enroll or generate these secrets. When applications launch, they are automatically provided with the right secrets, decreasing the likelihood of configuration error.
DC/OS automates service application security by standardizing security functions (authentication, authorization and transport encryption) for service applications. Operators can quickly and easily configure and enforce a set of security policies using the DC/OS GUI, providing consistent and simplified security controls across any infrastructure.
All certified services are tightly integrated with DC/OS so that security controls are streamlined and standardized between services. For example, Apache Cassandra, Apache HDF, Apache Kafka and more can be configured for fully automated transport encryption, thus alleviating the burden of manually creating and distributing certificates, speeding implementation and making it more consistent.
Simplify and Set Up for Enterprise Computing Success
Simplicity takes a concerted effort, but if you're willing to invest the time needed to build-out a streamlined and straightforward infrastructure, then you might be able to clean up several problems at once and set your secure enterprise computing platform on the right track. It takes discipline and proper budgeting to build a simple infrastructure, but the benefits outway the costs. At the end of the day, the cultural mindset is what will keep your teams constantly thinking about constraining their architecture, and those constraints will save an incredible amount of headaches down the road.
About the Author
Daniel Riedel is the CEO of New Context, an innovator in data security for highly regulated industries. He's a trusted authority in data security for the industrial internet, speaking before the U.S. Senate Committee on Energy and Natural Resources, OASIS‘s Borderless Cyber and Johns Hopkins IACD and has been published in the "Washington Post," "Federal Times," "Wired" and "Dark Reading." Riedel has over 20 years of expertise building secure and scalable technologies, products and companies.