Shutdown Breakdown, and a Case for Automation
Baby, breakdown, go ahead and give it to me.
Breakdown, honey take me through the night.
Breakdown now I’m standin' here can't you see.
Breakdown, it's all right.
-Tom Petty
We learn a lot when we have to. Whether it’s in our home life, learning to save for that car or for the kids’ tuition. We are sometimes faced with barriers and roadblocks to overcome: we lose a job; we take a pay cut; our car breaks down. Whatever. We keep going. We persevere.
So the government is (mostly) shut down. This is not a blog about that. (Goodness knows I have a lot to say on the subject, but this is more about what do we do – what can we do – when life throws us a curveball and security still has to get done.)
We talk a bunch around here about zero trust and what it means for organizations and agencies to move to this type of security model. It’s fair to say I’ve “drank the Kool-Aid” when it comes to this journey. It appeals to my innate feeling that complexity breeds chaos and that simplicity is the only way out of this death spiral of security spending that more organizations find themselves in. Now, don’t get me wrong, I am not a fan of simplicity just for simplicity’s sake. It has to serve a higher purpose. This is the same reason I’m an Apple fan. No one can argue that Apple did make our lives more connected (for better or worse) and they did it by maniacally focusing on simplicity. Ease of use.
I feel it in my bones that zero trust does the same thing for security, but there is an important part of zero trust that often gets overlooked: automation.
Not automation in the “car manufacturing assembly line” kinda way, but automating security decisions, in real time, the same way that secure tunnels (TLS) are created and destroyed, all day long, millions at a time without a human being having to lift a finger (beyond the initial setup). Access decisions need to happen just as quickly, just as often and just as securely. And these transactions need to be simplified. We can’t layer box after box inside our networks and expect these workflows to keep up with the volume of transactions that we process today let alone what we’ll do tomorrow. We can’t buy our way out of this. We must simplify.
(Oh, by the way, more cloud plus 5G will throw a wrench in this “box chaos” anyway, so it’s time to stop running in that direction.)
Automation is the only way out of this. Automating the workloads. Automating authentication decisions. Automating stand up and teardown of the connective tissue between the user and the applications. Some folks call this segmentation, or micro-segmentation, and that’s fine. Call it what you want. I call it “access dial tone.” The user requests something, and if all's right with the world (auth, workflow access), they get it. No muss, no fuss. Immediate. Just like picking up the phone.
Duo thinks a lot about automation. From making access and trust decisions based on easily discernible attributes (where is the auth request originating from? etc.), to looking at user behavior to help automate access. It’s also worth noting all the security data goodness we might glean from the variety of Cisco tools that collect data (ISE, Talos, AMP, etc.) and automate the application of this data to determine the trustworthiness of the request.
I’m not a huge fan of “hype tech” – things like AI, big data, blockchain, etc. – but some of these will absolutely play a role here. I don’t think we can get to true dial tone without AI-based automation due to the volume and frequency of the data (big data, cough cough). So hype or not, they have a role to play.
Before anyone gets too freaked out, I am not advocating that people don’t play a role. Just like the evolution of the telephone, roles change (how many switch operators still exist in the world?). We still need eyes on consoles of curated events. We still need security professionals to interpret data (after it’s been through the AI meat grinder). And we will still need people to provide direction and policy. What we don’t need is “box chaos” administrators. The world will change. Is changing.
We also still need people to watch over the physical security barriers at airports and ports of entry. We need their smiling faces because we are people, not boxes, and we need to interact with other people. My belief in this is the same reason I don’t use the “self service” lanes in my local grocery store. In some places, automation doesn’t make as much sense to me. For moving bits and providing application access, though, it makes perfect sense.
Hopefully, by the time this blog hits the air our federal friends will be back at work, getting their paychecks and all will be right with the world (or as right as it was in December). As a (very) frequent traveller, I rely on those smiling faces week in, week out. I’d like to see them keep smiling.