Securing Your Software Defined Infrastructure Part 1: Divergence
Order is the expected result. A set of defined operations with known possible outcomes resulting in a desired state. Each input measured and submitted into a process with defined parameters, designed to result in a single, quantifiable output. The expected result is repeatable...logical.
Order is calming. The intricacies and detail within the causality of order is like a beautiful symphony. The smallest piece performs its designed function ordinarily, yet the complete movement is extraordinary. Calm is peaceful, safe...secure.
When does order translate into feelings of beauty and security? When perception allows it. As with the defined parameters of an operation, human perception can be dependent on the understanding of an operation. A person educated in a process and can understand the variables, quantify their impact on an equation, and even define the parameters to create order. Without that understanding, they interpret the same process as chaos.
Education is key to the perception of order; However, education is not always realistic or the best investment.
Throughout human history, a certain level of broad understanding has been expected, sometimes required, to live. Social norms, laws and even safety measures have evolved over time and have become a part of the basic education required to function in society. Although important to life and liberty, we often obtain a basic understanding of these areas and rely on abstraction in the place of a full education. An example of such a safety related subject is lightning.
To many, lightning is chaos and it has been a part of human life from the beginning. Perceptions of lightning vary, but commonly include thoughts of random, dangerous and even deadly strikes. Safety education to the masses includes taking basic measures such as staying in-doors and staying away from trees if outside. However, the majority of people are not educated in how and when lightning forms, the conditions of the air masses, why it takes the path it does. They just know it exists and it is dangerous.
Educating everyone on the intricacies of lightning and electrical current is unreasonable, so we abstract that knowledge through electrical standards, grounding requirements, and the use of lightning rods. Rather than attempt to prevent lightning strikes, we attempt to direct it to reduce risk. People will not stop going outside and we cannot direct everyone into a bunker when air masses in the area change polarity, so we focus on their behavior. We secure where they will be and provide both automated and manual mechanisms to protect them.
Securing your software defined infrastructure requires the same thought process.
Change in Values
The most valuable commodity throughout human existence is knowledge. Once barren land was irrigated with knowledge. Empires were built with knowledge. Disease was eradicated with knowledge. And as far back as ancient times, temples were built to protect this knowledge. It is in our DNA to value knowledge and the beautiful, yet impenetrable, fortresses we built around it.
In the 20th and 21st centuries, knowledge was stored on magnetic disks instead of chiseled in stone or scrawled on animal skin. The fortresses, although similar in security posture, lacked architectural elegance – unless you find concrete walls, hot/cold rows and the hum of hundreds of server racks elegant. Regardless, data centers required a large investment in land, utilities, equipment and people and finding people with the knowledge required to maintain each became the most difficult variable in the equation.
Just as the investment in data centers outgrew the value of the data they protected, a perfect storm of innovation occurred: virtualization and automation. Hardware virtualization took the industry by storm, providing a brief fiscal reprieve to companies with data centers. Widely accepted, virtualization had very few barriers to entry. There was no value or thought transformation and no real architecture changes as network, server and security operations continued to be infrastructure based, albeit abstracted infrastructure.
Alternatively, automation, which was previously limited scripting of software or an OS, was able to transform. No longer limited to user space, new thoughts about automation capabilities were explored and behaviors began to change. Application engineers could now package an application with a VM, including its OS and network connection. Application delivery was transformed as it was abstracted away from infrastructure.
Technology was forever changed.
Abstracted infrastructure, now so important to operations and automation teams, became increasingly consumable with virtual private hosting and later "cloud". Yet, the paths of thought transformation in the automation and operations teams never converged due to each teams' consumption models. The decades old investment in data temples and the people required to operate and secure them was a bond that was increasingly hard to break. Operations teams, required to keep the infrastructure running, were tied to legacy finance models and associated behaviors, such as investments in infrastructure related training and little tolerance for innovation. Continuing to care for and maintain expensive infrastructure, these teams became increasingly efficient at deployments within the data center but unaware of the cultural and knowledge shift occurring outside of the data center.
Meanwhile, automation and application teams became increasingly aligned with the business, where innovation is king. These teams were able to consume differently, deploy differently and get results faster. No longer worrying about long-term care of infrastructure, Automation and Application teams focused on operational functionality and agility, tearing down old environments and building new ones as needs changed. Software Defined Infrastructure became synonymous with "cloud", and consumption grew as Cloud Solution Providers continued to abstract infrastructure functions. The continuous changes gave birth to Agile and DevOps principles with the automation teams among the first to participate and later define these frameworks. With infrastructure almost entirely abstracted, automation teams could focus solely on application development (AppDev) and speed to market.
By the time finance teams invested in cloud as infrastructure, allowing network, server and security teams to operate in the cloud, the cloud platforms and their constant change had exponentially separated the two groups. The thought divide between operations teams and the transformed AppDev team had become insurmountable.
Perception of Cloud
There is no replacement for time, especially time at a crucial moment. AppDev teams were learning to operate in an infrastructure abstracted world at the same time this new world was being built. While transformational, the pace of change they experienced was nothing like the pace of change when the operations teams were exposed to this new world.
As discussed earlier, education and understanding are the keys to perception. With no education, no understanding and no lead-time, network, server and security teams were thrown into a new world where, to them, chaos reigned supreme – and security teams were the hardest hit. Network, server and storage teams only had to understand their pieces; However, security teams had to understand those components as well as the platform itself, a new take on users and passwords with IAM, and how the AppDev teams were deploying their wares. It was, and still is, daunting.
Security people need order. They need both the human perception of order, as well as the logical and repeatable reality of order. Legal requirements, regulatory burdens and compliance frameworks are all parameter-based. Security needs a process to secure cloud, with inputs, expected outputs and quantifiable results. They also need the beauty associated with calm and expected audit results presented to wall street on regular intervals.
How do we, as security people accomplish that task with an infrastructure we cannot control, that constantly changes in capability and design, compute with no inventory, with load that is unpredictable, over connections that are transient and attest to all of it?
The answer: Lightning.