This is one in a collection of seven pieces on Burning Security Questions. Read the rest here.
Automation of security is a concept with momentum this year as some of the larger federal agencies, including the Department of Defense, National Security Agency, Agriculture and Energy, are pushing for a new direction beyond the current FISMA audit mandate for compliance. They want Congress and the Obama Administration to consider adopting the Consensus Audit Guidelines, a set of 20 security technical controls that encourage automation.
But can security processes be automated?
Areas considered technically mature, such as scanning and intrusion prevention, can be automated, says Gartner analyst John Pescatore. "But since the threat and technology environments change rapidly, in the real world security automation is limited. It is great to talk about but for real companies, the actual business benefit is limited," he says.
However, some IT managers say they are reluctant to make purchases in security products and services unless it contributes to automation.
"We're completely automated as far as the ID creation is concerned," says Mike Ruman, enterprise communications and messaging manager at Grant Thornton, the accounting firm with more than 50 offices and 6,000 employees. Automated provisioning can create a user ID in 8 minutes and assign that individual to security groups based on job code and department, he says.
The firm uses Imanami's GroupID provisioning to synchronize with human resources and departmental databases, as well as Microsoft's Active Directory, to update employee online privileges every two hours.
"If there are changes, it keeps the information updated and user access might be closed," Ruman says. The weak link in the chain — which he saw happen once — was human resources forgetting to take action in an employee termination.
Ruman notes that the auto-provisioning process in place now also helps auditors because it's simple to generate reports. One of the main barriers he's seen to security automation has been company politics, particularly "administrator turf wars" in which systems administrators squabble over tasks that are often manual.
However, skepticism about the prospect of automated security abounds.
"Like flying cars, people have been waiting for total security automation for years," says Tracy Hulver, executive vice president for marketing and products at NetForensics, a maker of security-event management products designed to help automate collection of security and log data.
"Unfortunately, that is something that is still years, if not decades, away from being realized," he says, adding automation has helped with some aspects of security response, “but human intervention is still required to be able to respond appropriately."