We have gone from the city that never sleeps to a world that is continuous. That's right, it seems along with the world shrinking, it is always on, someone is always watching or doing. Continuous has become the new black.
Nowhere is this truer than in IT. We have Continuous Delivery, Continuous Integration, Continuous Testing, Continuous Monitoring, continuous this, continuous that, continuous everywhere. Infosec is not immune to this, either. We are trying to protect against continuous attacks by deploying continuous scanning, continuous threat protection, continuous monitoring, all of it part of our continuous security. All of this sounds like an old George Carlin routine. But it's not it; it is the way things are today.
Of course, all of this continuous around security had to lead to continuous compliance. After all, who would want to be compliant at only a point in time (even if that point was at the time of audit)?
The newest version of the PCI DSS tries to move compliance from point-in-time compliance to continuous compliance. Some question whether this puts too big a burden on merchants. How many resources can they dedicate to compliance to make sure it is continuous? Others say that continuous is the only way that makes sense.
For me, there is a lesson here that security can learn from DevOps. Automation is the secret weapon in doing continuous. Without automation, continuous would require too many resources to truly succeed. But with automation, we can duplicate and perform acts over and over again without a human initiating every step, every move.
That is not to say that humans will no longer be needed in IT security. On the contrary, automation frees up humans to work on tasks of a higher nature. Automation frees up humans from the repetitive, mundane tasks that need to be done over and over again, enabling them to work instead on things that are of a higher value (at least they should be).
But wait, there's more! Not only does automation empower continuous, automation brings speed. Once we automate, we can speed things up as well. So not only are we performing continuously, we are also performing faster.
Now we are automating tasks without human intervention and at the same time doing them faster. I know for many a security admin, the hairs on the back of your neck are standing up. This can't end well. Things are going out of control. Automating and speeding things up almost goes against being cautious and careful.
But as counter-intuitive as it may be, automating and performing faster can actually result in being more secure and more compliant. Wait, let's repeat that again: by automating and speeding up performance, we can actually become more secure and more compliant.
How? You don't believe me? Impossible, you think? How can continuous make us more secure and more compliant? Is it even possible to do all of this continuously?
This is the topic that I, along with Jody Brazil, CEO of Firemon, are going to explore as hosts of a P2P session at RSA Conference. The session is on Thursday at 10:20 am, and it is titled Continuous Network Compliance: Finding Flaws and Betting Futures. Put it on your RSA calendar if you are attending. The P2P sessions only hold 25 or 30 people, so come early.
I will post a follow up to this post after the session with some of the discussion points around this. If you would like to hear the answers before then, though, you will have to come to the session. See you in San Francisco at RSA Conference.