As organizations move more workloads to the cloud, there is more opportunity for security automation. Automation provides a repeatable and scalable method to enforce security policies across an enterprise, as well as accelerate the gathering of evidence for audits.
However, security automation is a daunting task. Cloud service providers, security vendors, and consultants are all fond of promoting the promise of automation. Yet, as teams struggle with the complexities of cloud environments coupled with the nuances of security controls, these promises can quickly unravel. Paradoxically, a key component of security automation success is neither security nor automation, but something far more pedestrian: documentation.
To paraphrase the famous World War II general Omar Bradley, amateurs talk, professionals document. While talking about policies, theories, and strategies for security automation are a good place to start, at some point all that promise must translate into action.
Documentation is where the promise of security automation becomes reality. Like any complex task, security automation demands the mastery, coordination, and implementation of a disparate set of tools, techniques, and talent. On rare occasions, a single person can do everything and keep the details in their head. More commonly, automation projects engage multiple people, working across multiple tools, all with multiple (competing) agendas.
Without documenting the details, you are entrusting the entire effort to the whims and memories of people, which are notoriously fickle and fleeting. With documentation, you can unlock some important powers that fuel success.
Documentation creates transparency and accountability
Documentation can be shared, reviewed, and referred to later. Documentation puts ideas, plans, issues, and decisions into a tangible form. Moreover, you can hold people accountable to what they wrote or what was shared with them. It is much more difficult to hold people accountable to what they said, since they can deny it or dismiss it.
As the pandemic has driven more teams to work remotely, old methods of accountability, such as casual hallway chats no longer work. Documentation is the only way to overcome this loss and promote accountability among leaders and employees.
Documentation can identify confusion and eliminate it
Documenting the technical details forces the author(s) to organize and clarify their thoughts. When other team members read the content, they may be confused. This may force the author(s) to reorganize the content. Ultimately the process of revising the content will help everybody, including the authors, understand the details better.
Many years ago, an employee had an idea for a security automation for the Security Operations Center (SOC). The idea seemed innovative, but confusing. After some high-level discussions, I asked the employee to document his plan. In the process of writing the plan, we discovered that not only did the team lack the skills or resources to build the feature, but that the feature was also financially impractical. The act of organizing the details into a document exposed the weaknesses in the plan.
Documentation builds upon itself
Once a plan is documented, people can analyze it, alter it, and augment it. Documents invite improvement. Implementing and configuring security controls requires multiple iterations of testing and refinement. If these efforts are documented, future teams can learn from those efforts and build upon them. Moreover, as automations are encoded into languages (like Terraform or Azure ARM templates), future security experts can update, refine, and improve that code. Documentation inherently begets improvement.
Conclusion
It is easy to get lost among the alluring promises, strategies, and technologies of automation. Cloud service providers like Azure and automation tools like Terraform are powerful. These platforms can accomplish almost anything in a cloud environment. However, the tools themselves are useless and your talent wasted if all your strategies do not coalesce into functional automations. Much like logistics were Omar Bradley’s secret weapon to win WWII, documentation is your secret tool to make security automation work.
NOTE: Bradley’s actual quote is “amateurs talk strategy, professionals talk logistics.”
