TL;DR
Auto-certification can work for internal services, but it’s not a ‘set it and forget it’ solution. It requires careful planning, clear definitions of acceptable risk, robust testing, and continuous monitoring. Focus on automating checks against well-defined security baselines rather than attempting full compliance validation.
1. Understand the Risks
Before you automate anything, figure out what you’re trying to protect. Internal services often handle sensitive data or are critical to business operations. Consider these risks:
- Data breaches: What happens if a service is compromised?
- Service disruption: Can downtime impact the business?
- Compliance violations: Even internal services might need to meet certain standards (e.g., data protection laws).
Auto-certification won’t eliminate these risks, but it can help you identify and address them more quickly.
2. Define ‘Acceptable Risk’
You need to decide what level of risk your organisation is willing to tolerate. Full compliance for every internal service might be too expensive or time-consuming. Instead, focus on the most critical security controls:
- Prioritise services: Rank them based on their importance and the sensitivity of the data they handle.
- Establish baselines: What are the minimum security requirements for each service? (e.g., patching levels, firewall rules, access controls).
- Document exceptions: If a service can’t meet a baseline requirement, document why and what mitigating controls are in place.
3. Choose Your Automation Tools
Several tools can help you automate security checks:
- Configuration Management Tools (e.g., Ansible, Puppet, Chef): Ensure services are configured according to your baselines.
- Vulnerability Scanners (e.g., Nessus, OpenVAS): Identify known vulnerabilities in service software.
- Compliance Scanning Tools (e.g., Lynis, CIS-CAT): Check against industry standards like CIS Benchmarks.
- Scripting Languages (e.g., Python, Bash): Write custom scripts to perform specific checks.
Example using Lynis to audit a system:
lynis audit system4. Implement Automated Checks
Start small and focus on automating the most important controls. Here’s how you can approach it:
- Patch Management: Automate checking for missing security patches.
- Firewall Rules: Verify that firewall rules are correctly configured to restrict access.
- Access Control: Ensure only authorised users have access to sensitive data.
- Log Monitoring: Collect and analyse logs for suspicious activity.
Example using Ansible to check if a service is running:
- name: Check if the web server is running
service:
name: apache2
state: started5. Integrate with CI/CD Pipelines
If your services are deployed using a Continuous Integration/Continuous Delivery (CI/CD) pipeline, integrate security checks into the process. This allows you to identify and fix vulnerabilities before they reach production.
- Automated Scanning: Run vulnerability scans as part of each build.
- Gatekeeping: Prevent deployments if critical vulnerabilities are detected.
6. Monitor and Review
Auto-certification is not a one-time task. You need to continuously monitor the results and review your automation rules.
- Regular Reporting: Generate reports on service security status.
- False Positive Analysis: Investigate and address any false positives.
- Rule Updates: Keep your automation rules up-to-date with the latest threats and vulnerabilities.
Consider using a Security Information and Event Management (SIEM) system to centralise log data and alerts.
7. Human Oversight
Don’t rely solely on automation. Human security professionals should still be involved in the process:
- Exception Handling: Review and approve any exceptions to security baselines.
- Penetration Testing: Conduct regular penetration tests to identify weaknesses that automated checks might miss.
- Incident Response: Be prepared to respond to security incidents, even if auto-certification is in place.