Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/28/2019
10:30 AM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

'Cattle, Not Pets' & the Rise of Security-as-Code

Nearly a decade in, the famous analogy has underpinned a sea change in enterprise IT, but still falls short of the security mark. More recent developments can help.

In 2011, Randy Bias, a prominent member of the cloud community, used the phrase "cattle, not pets" as an analogy for how DevOps engineers should think about the cloud and the benefits of managing infrastructure in a cloud-native environment. The phrase "cattle, not pets" (attributed originally to Bill Baker, a Microsoft distinguished engineer encouraging his DBA audience to think differently about their SQL Server deployments) has become pervasive within the DevOps community and is a useful way to think about the difference between a dynamically scalable cloud deployment and a more static on-premises server rack. Once the description was applied to the cloud, it was adopted across the IT community, showing up in sources as varied as Amazon webinars and CERN presentations.

Although the concept has contributed to the cloud design principles of thousands of DevOps engineers across the industry, the analogy is imperfect. Treating servers as "cattle, not pets" without broader strategies to implement security eliminates concerns about resiliency and initial server configuration, leaving the proverbial door wide open for unanticipated access issues, malicious intrusion vectors, and other security threats and vulnerabilities that have been prevalent since well before the cloud concept was mainstream.

Enter the many different flavors of infrastructure-as-code. There are many ideas about planning for DevOps, and the benefits of the overall infrastructure-as-code movement: numerous papers on the "cattle, not pets" approach; dissertations on the broader notion of replicability, rigor, scrutiny, as well as inherent security that come from code-based implementations of infrastructure; sales briefs on the benefits of being able to model infrastructure changes without time-consuming and costly mock-ups in a manually configured staging environment; and so on.

The concept of using code-based policies to impose consistent security on a broader IT environment is not new in IT or the cloud. However, minimizing security risks with comprehensive security-as-code in a way that almost entirely removes the need for any manual interaction is a relatively new practice — as is the prioritization of security principles when DevOps teams consider how to configure code-based policies to manage their own environments.

This doesn't mean the industry isn't addressing the practice. Companies including Puppet, Chef, Red Hat, AWS, IBM, and many others offer rich tool sets that are intended to ease the transition from traditional IT practices and DevOps approaches to security in favor of the DevSecOps approach to infrastructure management — and DevSecOps appears to be on its way to becoming the new normal.

Opportunity for Change
The broader implications of the DevSecOps mindset for the governance of security and compliance have been relatively underappreciated until recently. The industry now has an opportunity to shift the focus of security and compliance scrutiny from the live environment to a code repository, greatly increasing the assurance possible in any security review and simplifying the methodology required by any external auditor tasked with verifying the compliance posture of a given environment. Prominent cloud providers are releasing verified reference architectures that, if implemented without any security-impacting changes, provide compliance with any number of prominent security and regulatory frameworks their customers may encounter. An entire cottage industry has formed around the idea that security can be written instead of implemented. While not as prominent as the overall infrastructure-as-code movement, comprehensive security-as-code could be truly transformative for organizations building in the cloud.

If done carefully, true security-as-code has many benefits. Budget-conscious executives can mandate code-based security policies to minimize the large amounts of time, money, and effort traditionally required to properly deploy and vet a mature security posture. System owners can remove the human from the loop in all but the most esoteric of management actions — minimizing the risk of some of the most prominent malicious intrusion vectors seen today and virtually guaranteeing consistent implementation of security controls and policies. Architects can mock up their selected controls, service-level agreement obligations, and performance targets without delay and quickly iterate through options before allocating any resources to a test deployment.

Companies working to bring software products to market in heavily regulated industries can reduce their time to compliance — even across multiple frameworks at once — as they are only limited by the speed at which their developers can type, instead of the long lead times traditionally expected between development, assessment, and remediation. Undermanned DevOps teams can confidently reuse and recycle security policies and assets between environments without worry about customization or loss of fidelity, easing the pain of frequent requests for segregated resources or low-level tenant-by-tenant isolation.

And finally, interested reviewers and external auditors can be confident when assessing the security assurance provided by a heavily automated and code-based IT environment. Focusing such a review on a code-based architecture implemented throughout the scope of a given review reduces the chance that, somewhere, in some far-off closet, sits a critical server still being treated as a pet.

Related Content:

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13934
PUBLISHED: 2020-07-14
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVE-2020-13935
PUBLISHED: 2020-07-14
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of ser...
CVE-2020-15721
PUBLISHED: 2020-07-14
RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php.
CVE-2020-7592
PUBLISHED: 2020-07-14
A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic ...
CVE-2020-7593
PUBLISHED: 2020-07-14
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (V1.81.01 - V1.81.03), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.01), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.02). A buffer overflow vulnerability exists in the Web Server functionality of the device. A remote unauthenticate...