Automated Service Certification

TL;DR

Auto-certification can work for internal services, but it’s not a ‘set it and forget it’ solution. It requires careful planning, clear definitions of acceptable risk, robust testing, and continuous monitoring. Focus on automating checks against well-defined security baselines rather than attempting full compliance validation.

1. Understand the Risks

Before you automate anything, figure out what you’re trying to protect. Internal services often handle sensitive data or are critical to business operations. Consider these risks:

• Data breaches: What happens if a service is compromised?
• Service disruption: Can downtime impact the business?
• Compliance violations: Even internal services might need to meet certain standards (e.g., data protection laws).

Auto-certification won’t eliminate these risks, but it can help you identify and address them more quickly.

2. Define ‘Acceptable Risk’

You need to decide what level of risk your organisation is willing to tolerate. Full compliance for every internal service might be too expensive or time-consuming. Instead, focus on the most critical security controls:

• Prioritise services: Rank them based on their importance and the sensitivity of the data they handle.
• Establish baselines: What are the minimum security requirements for each service? (e.g., patching levels, firewall rules, access controls).
• Document exceptions: If a service can’t meet a baseline requirement, document why and what mitigating controls are in place.

3. Choose Your Automation Tools

Several tools can help you automate security checks:

• Configuration Management Tools (e.g., Ansible, Puppet, Chef): Ensure services are configured according to your baselines.
• Vulnerability Scanners (e.g., Nessus, OpenVAS): Identify known vulnerabilities in service software.
• Compliance Scanning Tools (e.g., Lynis, CIS-CAT): Check against industry standards like CIS Benchmarks.
• Scripting Languages (e.g., Python, Bash): Write custom scripts to perform specific checks.

Example using Lynis to audit a system:

lynis audit system

4. Implement Automated Checks

Start small and focus on automating the most important controls. Here’s how you can approach it:

1. Patch Management: Automate checking for missing security patches.
2. Firewall Rules: Verify that firewall rules are correctly configured to restrict access.
3. Access Control: Ensure only authorised users have access to sensitive data.
4. Log Monitoring: Collect and analyse logs for suspicious activity.

Example using Ansible to check if a service is running:

- name: Check if the web server is running
  service:
    name: apache2
    state: started

5. Integrate with CI/CD Pipelines

If your services are deployed using a Continuous Integration/Continuous Delivery (CI/CD) pipeline, integrate security checks into the process. This allows you to identify and fix vulnerabilities before they reach production.

• Automated Scanning: Run vulnerability scans as part of each build.
• Gatekeeping: Prevent deployments if critical vulnerabilities are detected.

6. Monitor and Review

Auto-certification is not a one-time task. You need to continuously monitor the results and review your automation rules.

• Regular Reporting: Generate reports on service security status.
• False Positive Analysis: Investigate and address any false positives.
• Rule Updates: Keep your automation rules up-to-date with the latest threats and vulnerabilities.

Consider using a Security Information and Event Management (SIEM) system to centralise log data and alerts.

7. Human Oversight

Don’t rely solely on automation. Human security professionals should still be involved in the process:

• Exception Handling: Review and approve any exceptions to security baselines.
• Penetration Testing: Conduct regular penetration tests to identify weaknesses that automated checks might miss.
• Incident Response: Be prepared to respond to security incidents, even if auto-certification is in place.