Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

Automate Your Way to Security Assurance

Absent Member.
Absent Member.
0 0 3,954
There is an exciting (ok, I don't get out much) proposal from Neil MacDonald, of Gartner, that he calls systematic workload reprovisioning. The idea is to periodically stop and restart instances of programs or workloads on a server, using a vetted set of service executables and dependencies. The process lends itself well to a virtualized or cloud-enabled environment as within enterprise computing, we are seeing a trend towards specialized, single application servers vs. generalized computing on "big iron." It is an interesting use of technology and could be achieved by combining existing off the shelf components, open source or commercial.

In the article, MacDonald refers to a "high-assurance" repository, which sounds like a baseline to me. So a first step would be to identify service components, such as executable images and configuration files. This might include any supporting components, such as a LAMP stack or commercial database engine. Once identified, each of the components must be distinguished as safe and unaltered by creating a cryptographic hash (at least SHA-2 please) of each, and then organizing the resulting bundles into templates. A good secure configuration management product or solution could be leveraged to establish a baseline and to manage the templates. This also provides a great opportunity to establish a security policy, which could be as simple as enumerating each of the template elements. Libraries of templates seem ideal to address regulatory compliance.

Stopping and restarting workloads or service instances could be achieved through an automated process workflow. It may even be desirable to stop and restart the server itself. Or in the case of a virtualized environment, the virtual machine; more on that below. These actions could easily be scripted and set to occur on a prescribed schedule. This could be achieved using run book automation or a simple job scheduler.
Alternatively, there are some very good information technology process automation (ITPA) products available which could effortlessly address such a requirement.

The server itself is a candidate for a virtualized execution container and could easily be served by a hypervisor such as VMware, Hyper-V, Xen, or KVM. Or it could be managed in a public cloud environment such as Amazon AWS or Rackspace. With regard to the cloud, there is momentum developing for open standards, so vendor lock-in is not as much of a concern. Take your pick: OpenStack, Open Virtualization Alliance, or the new Open Cloud Initiative. Even VMware's Cloud Foundry uses well known components. Hypervisor and cloud vendors alike offer library and templating features so that "gold master" images or instances can be identified as trusted and placed in a high-assurance library or repository. The leading ITPA products include orchestration of virtual environments, thereby enabling stopping and restarting of the workload at the virtual server level.

Organizations could roll their own solutions or integrators could assemble such a service. It certainly provides a great opportunity for a security vendor. So market players take heed!
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.