DevOps to DevSecOps -- The Start Is Culture

While DevOps is a relatively new word describing an evolving methodology for building products, Information Security is a mature discipline and is generally applicable to all enterprises. Information Security has been studied and codified into well-defined principles. These principles were developed in large measure by the US Department of Defense to protect military secrets, an effort that went alongside the military’s interest in developing the Internet itself. Major accrediting organizations with esteemed reputations (e.g. ISC2) have been certifying Information Security professionals since the mid-nineties. 

The purpose of Information Security, or, specifically, Information Security programs within the enterprise, is to reduce the risk of data breaches, data corruption and loss of access. It is an ongoing process. It requires attention throughout the organization and at every stage of the software development life cycle. Information Security needs to be considered at the earliest stages of product development. Attempting to bolt Information Security onto a product at the end of the development cycle, treating it as an afterthought, is rarely an effective strategy. 

Information Security is at once people, processes, and technology. While Information Security has been a concern long before DevOps, it needs to be promoted as a major tenet of DevOps.  Why? Information Security is hard and historically, it has not gotten enough attention. 

In order to earn and grow revenue, product companies are compelled to focus on maximizing customer benefits, and often treating Information Security as overhead. A race for an MVP (minimum viable product) encourages cutting corners on security. Even when Information Security is a concern, it typically competes poorly with market needs. It is common for development organizations to build an application, and then, just before a release, to do “Information Security.” They check a few boxes and hit the deploy button. Attempting to bolt it onto a product right before release, is one of the greatest risks when implementing Information Security. It typically does not end well. 

Information Security will continue to grow as a major concern for Dev and Ops. For too long and too often, Information Security has been given a “best effort” treatment. The rapid growth in number and sophistication of attacks requires more effort to contain them--just for survival. 

In order to meet these challenges, Information Security must be considered during design and planning. Applications, systems and networks must be Secure by Design. This must always be the default. Without attention to Information Security at the early stages of product development, any Information Security controls implemented later will likely contain design flaws.

 

Information Security must be elevated in DevOps. It must be ingrained into the other aspects of DevOps: culture, automation, monitoring, and communication. As with all of DevOps, culture is the key component. Both Dev and Ops must embrace a culture that considers Information Security a key concern.

The good news is that the ongoing process of maintaining secure systems weaves seamlessly into our aspirations for a well functioning DevOps environment. New challenges will emerge. Technology will continue to evolve. In 2024 we see the information itself being attacked with disinformation and deep fakes. DevOps has become DevSecOps and many other variations. 

fork: Culture is more important than processes or technology

My principles of DevOps: culture, automation, monitoring, communication and information security will continue to shine the path forward even when DevOps is ultimately replaced by whatever comes next.  

Monitoring: Timely, Accurate, and Actionable

 

Monitoring

The objective is relevance: timely, accurate, and actionable. 

Monitoring integrates automation (machines) and communication (humans). It completes a feedback loop between systems and people. Monitoring ensures Operations continues to run and run smoothly. Far too often monitoring is not done well. Development and Operations are insufficiently responsive to problems in their offerings and have too frequently allowed their customers to identify issues. Customers report urgent problems. Teams immediately jump into to reaction mode, and run around putting out the fire, saving the day from their own lack of effective monitoring. That’s crazy making. Effective monitoring is crucial to the mental health of your organization. A DevOps culture cares about mental health and staying sane.

Too often monitoring is just a mess. Important, but non-critical systems are not monitored at all. For systems that are monitored, the monitoring is often tuned poorly. Monitoring spams non-urgent alerts. When it comes to the ratio of signal-to-noise, it’s typically a distracting amount of noise. Alerts that need action are lost. The refrain of managers of bad monitoring is heard once again, “the system generated an alert, but we did not see it.”  On the Development side they have similar problems. For example, regular feedback on the state of the build and test can be lacking. Test reports are incomplete or difficult to access. Attention needs to be paid to properly configuring monitoring systems. 

Timely

Monitoring needs to be timely, accurate and actionable. Timely alerts are sent at the right time. The right time is not always immediately when the issue is identified. For example, it is important to monitor test systems. Consuming all the allocated disk space on a test system may disrupt development. Disk alerts on test systems are useful for keeping Developers working without interruption. But if you're sending text messages to your Ops staff in the middle of the night for a disk alert on a test system, you’re not doing it right. That’s not a timely alert. You don't need to wake your Ops staff to fix a non-critical issue on a test system. A timely alert would be during work hours. 

The best type of alert is predictive. They warn you of an impending problem. A failure hasn’t occurred yet, but without action, one is likely. Disk usage warnings fall into this category. You need alerts that tell you something is broken. That type of monitoring cannot be ignored. But the deeper you can get your monitoring into your system, so failures can be anticipated, that makes for the most useful monitoring.

Accurate

Alerts need to be accurate!  The bane of monitoring is false alerts. No one enjoys a wake up in the middle of the night responding to pages from a system that is in fact working just fine. 

Actionable

Alerts must be actionable. An alert that is incomprehensible or lacks an expected response is either noise or worse—something needs attention, but it is getting neglected because the recipient of the alert doesn’t know how to respond. Actionable monitoring has a lot to do with preparation. When you get an alert, you need to know how to respond. Alerts need to be correctly categorized. Many alerts require some technical action. Other alerts require communicating to customers and/or vendors. Casualty procedures or use cases need to be well documented and available when the alert sounds.

Monitoring is about knowing your systems and the state they are in. Without monitoring you’re in a bad place. You’re that infamous chicken with its head cutoff, still running around… but already dead. 

Monitoring Challenges

Meaningful monitoring requires a careful eye. It requires looking at the object of your concern from a multitude of perspectives. Ops, Dev, management and users all have their own point of view. While each of these views is important in and of themselves, the sum of these perspectives is greater than the parts. The picture develops as more perspectives are processed. 

As an example of the importance of considering as many perspectives as possible, take the Escher print below. Is it a picture of geese or fish?  It is both at the same time. You need to look at the negative space as well as the positive space; one reveals the other. To see the true picture you must recognize how differing pieces fit together.

Figure 15: Positive and negative space

The larger and more complicated the object of your attention is, the more perspectives you need. Do you remember the story of the seven blind mice describing an elephant?  The view of any one mouse was not enough to understand the elephant they were all looking at. And how about the old adage about missing the forest for the trees?  The dissonance between our perception and the reality of things is fascinating. I could go on and on with these examples, but let’s move on to some other monitoring challenges.

You can get carried away with monitoring. If you “monitor everything” you will likely get overrun! Getting inundated with low-grade notices from your monitoring system is a very good way to miss the alerts that you really need to pay attention to. False alerts and alerts for non-urgent conditions pave the path to shutting out what is important. Reducing the noise to get the signal is a must! 

Even when monitoring is performing well, challenges remain. Our brains have a propensity to form patterns according to expectations rather than actual data. This picture was used to test the perception of medical students examining chest x-rays. A whopping 83% of test subjects missed the gorilla in the picture. But you saw it right?

Figure 16: What gorilla?

All of these challenges are significant, and typical Ops monitoring has not been up to the task. The worst part of what has passed as Ops monitoring, is the extent that Ops unintentionally relies on their customers to identify problems. With poor monitoring Ops teams put their customers in the position of having to report important problems; like the site is so slow it is unusable! 

To effectively manage an application for the benefit of all constituents, monitoring needs to simulate all your stakeholders’ points of view. Many customer issues can be handled effectively. Bugs, training and workflow issues can be managed with an on-point support team. But when your customers have to tell you about performance or availability problems, your business is in trouble. This is the worst. Your customer does not care about your technical issues. They want to get their work done. By the time a customer opens a ticket to complain about not being able to do their work, you may have already lost any chance of a service renewal. The damage increases exponentially with the mission criticality of the service you are providing. If your customers are working in real-time like medical service providers, sellers in on-line auctions or whatever they are doing that is really important to them, and your application is not available?  You are toast. Monitoring needs to be timely, accurate and actionable.

Kevin, How did you get fit? - 10 Steps for Anyone

I'm 56 years old, and I am as fit, healthy and happy as I have ever been. 

Kevin Eb, September 2024, Hull, MA

As a young person, I was somewhat active, but not particularly athletic. And like other young people, I could eat whatever I wanted, and not gain weight. Of course, that changed as I slid into my 30s. For my 30's and 40's I was borderline obese. I'm 5' 8" At my heaviest I tipped the scales at 200 pounds. 

In the last few years I have shed forty pounds. A long with losing the weight, I have gotten fit. I bike, swim and run. At first, I was only riding my bike, but building up my strength. After a while I incorporated swimming and running. When I began incorporating running into my fitness routine, I could barely run. I would run on a track near my house. I'd go down the 100 meters of the straight-away and then I couldn't run anymore. I needed to stop because of the pain in my ankles or shins. Now, a 5k run is in my comfort zone. My longest run is a half-marathon. I can bike forty miles comfortably. I love open water swims (and surfing!). I have participated in two sprint triathlons. I am as fit, healthy and happy as I have ever been. 

This change has not gone unnoticed by friends and family, who have been wonderfully supportive and enthusiastic about my progress. I get asked, "How did you get fit?" After enough people have asked me this question, I thought it would be helpful to share what I've learned. Here's my response. 

The number one thing I would say is, lower your expectations. Don't try to get fit. Getting fit will be a long journey. Focus on getting healthier. If getting healthy is your focus, there a lot of things you can readily do, and a number of them have immediate benefits. You probably know most of them already. The challenge is to put them into action and to keep up the effort. Here are my ten steps to a healthier and happy life. 

1. Begin

I mean that literally. Just get started. Don't be so impressed by the challenge, that you don't get started. The only way to make progress is to begin. Don't even think about it as "day one." Think of the right now. Make right now the moment you set an intention to improve your health. 

2. Get moving

Even a moderate amount of physical exercise, a brisk 20 to 30 minute walk five days a week, will make you healthier. Our bodies are built for moving. Our bodies are also very efficient at storing energy and avoiding any effort at all. Like most of the steps in this list, the science is clear, a moderate amount of regular exercise (walking!) has measurable health benefits. Get moving!

3. Push past your fear

Getting healthy can be daunting. It gets harder, as we get older. We bear the emotional scars of diet failures, and abandoned exercise plans. Fear of injury is real. We step gingerly in fear of twisting an ankle. As we get older, we are more aware of the frailty of our bodies, and get yet more cautious. Push past your fear! You will experience discomfort. Don't let discomfort be your master. You can take it. You're stronger than you know. Injury and pain can happen whether or not you make any effort to exercise. 

Don't be afraid. You have the power! You can do this! 

4. Listen to your body

Our minds are built to focus our attention on one thing at a time. This is necessary in order for our executive function to work. We need to ignore all kinds of information from our bodies and our surroundings, so we can focus on whatever needs our active conscience attention. Your body is the temple of the mind. It's where you live. Give your body the attention and respect it deserves. 

5. Improve your posture -- This is the start of your fitness plan

You deserve to be here! Whatever state your body is, hold your head up high. Sit straight, and walk with your head up. Your posture will bolster your sense of well-being. There are different ways to improve your posture, and begin to put together a fitness plan that meets your needs. Start your fitness plan with exercise that is low impact. You don't need equipment or props. Your breath animates your body and your mind. Be mindful of your breathing. Your intention is to develop a fitness program that is more than doing push-ups, or leg stretches or any other activity that focuses on a particular muscle group. What you want to do is to begin a fitness program that integrates your mind, body and breath. Yoga is an excellent way to do this. I'm saying "yoga," but it doesn't have to be yoga. Yoga is an excellent way to do this. You can start wherever you are at--including chair yoga. Pilates is also good. Whatever exercise you choose to do, aim for a full-body experience: mind, body and breath. 

6. Track what you eat. Eat food. Mostly plants. Not too much.

Tracking what you eat, is not dieting. It is being mindful of what you are putting into your body. Whatever you eat, record it. The only goal you should set for yourself, is to actually record what you eat. If you maintain diligence in recording what you eat, you will inevitably begin to make better decisions about what you decide to put into your mouth. Hat tip to Michael Pollan for, "Eat food. Mostly plants. Not too much."

7. Weigh yourself daily

Weigh yourself daily, but don't pay too much attention to how much you weigh on any particular day. Body weight can fluctuate significantly. Our bodies can store a lot of water. Water is heavy. It is not uncommon to gain or lose five pounds in a day. Even without a big body weight swing of five pounds, body weight fluctuates. A more accurate measure of your weight is probably some kind of running average over your last few days. So, don't much attention to how much you weigh on any particular day. But, do record your weight everyday. Make it part of your daily routine. Weigh yourself, even when you don't want to know what you weigh. It's really an exercise of personal accountability and mindfulness. It's not difficult to step on a scale. It is difficult to make yourself regularly accountable and take stock of where you're at. 

8. Sleep

Of all the things on this list, sleep is arguably the most important. There's really no more important thing we can do for our mental health, and concurrently, our physical health, then consistently sleeping well. This is science. If you are not sleeping well, see a doctor. Fix that shit. It's a bit ironic, that sleep, "doing nothing," plays such a big role in our physical health. But it does. 

9. Rest, Recover, Strengthen

As you get into a more active exercise routine, rest and recovery will be grow in importance. I do think "rest and recover" doesn't really speak to what's happening. Yes, your body is "recovering" after exercise. Inflammation is processed by your body and soreness recedes. But, the sometimes neglected point of recovery, is that is necessary to actual grow muscle. You can't grow muscle while you are using your muscles. They need to rest in order to strength. Kicking your ass with your exercise routine? Rest, Recover, Strengthen. 

10. No matter what happens, be kind to yourself

You are going to have bad days. You will have days when you miss all of your goals. Days when you eat too much and don't exercise. Don't beat yourself up about that! Just don't. You only live once. If you indulged, that's okay. Gloat over your indulgence, and move on. It doesn't really matter what you did yesterday. What matters is what you decide to do next. In order to be more healthy, you have to set your intention to be more healthy everyday. That's a challenge, but it is also a blessing. Everyday we have the opportunity to start over. Everyday we have the opportunity to make new decisions and head in different directions. It's miraculous that we are here at all. Every step we take is a blessing. Be grateful for the health and wellness you have. Be kind to yourself. You deserve it. 

Please share any of your comments and experiences below!

Service and a Culture of Ownership for Information Security

Ownership

No time for losers, cause we are the champions of the world!

DevOps practitioners take ownership not only of their individual performance, but also in the success of the team, and recognize that work they do has an impact on the success of the whole company.

Persistence

After I graduated from college, I backpacked around the world. I visited great cities: Hong Kong, Bangkok, Singapore, Beijing, Delhi, Mumbai, Jerusalem, Cairo, Marrakech. I trekked and climbed; I did odd jobs and taught ESL; I met incredible people and learned so much. I was out of the country for more than a year. That was 1995, the "Year of the Internet."  The Internet was exploding back home, and I could feel it. When I returned to the States, I was ready to launch my career. I moved to the Bay Area and started looking for a job.  

I had my old Apple Macintosh. I busily played with Java and HTML making wildly homebrew web pages; linking my page to people that I admired and making graphic puzzles linking to all manner of strange and interesting things. I followed job postings on Craigslist, when it was still a listserv. These were dial-up days and I networked online bulletin boards, like The Well. In a Java conference, I connected to one long-timer user, Bob Pasker, aka (rbp). Bob arranged a phone call to talk about a Systems Administrator position he had at a startup he co-founded, WebLogic. 

Or dumb luck?

It's worth stepping out of this story to make note that when it came to technology, nothing got by Bob. There was no obfuscating or charming your way past him. You knew if you were not doing well in an interview with him. One person that did get a job at WebLogic that had a particularly memorable reaction to his interview with Bob. Michael Smith, Jr, Smitty, who was interviewing for an entry level Sales Engineer position, started the interviewing feeling pretty good, and left feeling like he knew nothing about Java. 

Back to my interview. None of my experience and education--Electrical Engineering, AS/400, retail software, Novell 4.0 certification nor the Java basics I was teaching myself was of much use in this interview. Nevertheless, I was confident and insisted I could learn. I doubt I was convincing, but as Bob was extricating himself off the phone, he did offer me a temp job setting up some computers. I said yes.  

WebLogic, early days

Soon after I showed up in WebLogic’s downtown San Francisco office. The WebLogic office was tiny. They shared space with an accountant. The accountant had a corner office and a couple of adjoining rooms. Four smaller offices comprised the rest of WebLogic’s space. Dave Parker, the WebLogic president, occupied one of them. There was a small conference room with a floor to ceiling glass wall. That conference room sticks my mind. Dave gave what seemed like an inordinately long interview to a very attractive young women who wore her red mini-skirt very well. It turns out, that Dave was capable of talking an inordinately long time for any occasion at all. But, I digress. In another room Bob was setting up for the first three staff engineers they hired. One was for Sam Pullara and another was for our departed friend Joe Weinstein. The four co-founders, Bob, his wife Laurie Pitman, Paul Ambrose, and Karl Resnicoff worked from home over an ISDN network Bob setup. 

Bob had three mini-tower workstations to setup for his new engineers. The workstations had arrived from Micron along with some 3^rd party memory upgrades. Bob handed me the memory, and told to get to work installing it. This was something I'd already done a number of times in my life. I knew exactly what to do. And yet, I was so nervous I could hardly hold the memory stick. I could not get it to pop into the socket. After a bit, Bob quietly lost his patience watching me fumble with the memory stick. He reached over and popped it in. And we moved on.

I left some kind of impression on him, because I heard from him soon. Bob had me back to setup more computers. I setup Windows NT 4.0, Microsoft Office and development tools, like Perforce and Cygwin. Soon WebLogic was prepping to move out of its shared office and into larger space. Bob needed someone on the IT front-line to help get things going, and offered me a full-time job. At the same time, I was offered a more money to be a Novell administration for a San Francisco hospital. I passed on the Novell job and went to work at WebLogic.

First Days at the Job and Lessons Learned -- WebLogic 1996

בּוֹקֶר טוֹב

On my way to my first full-time day at WebLogic, I emerged from the BART station at Montgomery St. A a well-dressed stranger greeted me with Boker tov! Good morning in Hebrew. I had arrived at my destination. I headed underneath the Charles Schwab ticker; looked up at the sun shining on the pyramid building; and marched down Montgomery St. to start my new job.

One day during my first week, I was asked to move a printer. There was some issue, and it was taking me time to get it working. This did not go over well with Bob. He made it clear to me in a way that has stayed with me always: IT is a service job. Yes it’s technical, but its function is to enable other people to get their work done. Printers and cables or anything else technical did not come up in this discussion. The point was about providing service to business users. If my work is causing a work stoppage because the printer I am working on is off-line, I am not getting my job done. I took that feedback, and remembered a theater “techie” creed: 

You don’t see or hear us, but you don’t see or hear without us!

 

Fourk 3: IT is a service job. Yes, it’s technical, but its function is to enable other people. 

Service and a Culture of Ownership for Information Security

It's 2024 now, nearly thirty years later, and this is a lesson I come back to often. It is lesson that I routinely share with my Information Security colleagues. As Information Security practitioners, our function is "Information Security." Our purpose is Risk Management. We support the business by safeguarding its assets and ensuring compliance. We do this in order to reduce risk to the business. Understanding and embracing one's mission is a the first requirement of the, National Institute of Standards and Technology, Cybersecurity Framework (NIST CSF v2.0 released in March), which states, "The organizational mission is understood and informs cybersecurity risk management." By maintaining a service-oriented approach and aligning with our mission, we not only secure the company but also ensure we meet compliance objectives and foster an Information Security centric culture of ownership. 

Security DON'T dos, The Wild West of Old and DevOps to the Rescue

Security Tenets

Keep these DON’Ts at the top of your list.

 

Fourk 7: Security DON'T dos

1. DON’T leak data.
2. DON’T corrupt data. 
3. DON’T keep users from their data.

DO keep your customers data secure. 

 

Kevin Eberman's take on the triad, the three legged stool of Information Security: 

confidentiality, integrity and availability

The tenets of Information Security deserve regular consideration. They form the basis of many laws, regulations and industry standards. When I was first introduced to this formal definition of security tenets, I learned Information Security is about more than keeping secrets. I was expecting confidentiality to be a concern, but I did not expect integrity and availability to be equal concerns. Integrity made sense, but it took me a moment to get behind the idea that availability was a security concern. I was not and am not alone in this reaction. A lot of people have this reaction. Even people that should know better, like some developers I've worked with, have had this reaction. But, not having access to your data can have serious consequences. Imagine not being able to access your bank account! You have to be able to get to your data. 

Confidentiality: When users think about Information Security, this is generally what they think about. It is typically the type of breach that makes for headlines. The disclosure of private information.  

Integrity: The data you are minding has to be accurate. Making decisions with incorrect data leads to all kinds of problems, just ask someone who is trying to scrub their credit card rating of a false report or identity theft.

Availability:  Finally there’s availability. There is no data security if users cannot access their data. 

The Wild West of Old

In the Wild West of old settlers faced many risks. The environment was hostile. The weather, wild beasts, bandits, and of course, a native population made it very risky to be a settler. Yet people were driven by the opportunity of a new life and a place to claim as their own. 

Business has always operated with risk. Indeed, risk is required in business. Business is competitive. There are winners and losers. In order to get the spoils, in order to get an advantage over their competitors, the greatest business people, the greatest leaders need to take risks to get ahead.

After more than twenty years of the commercialization, the Internet remains a vast frontier with weak security--a lot like the Wild West of old. It provides ample opportunities for modern day bandits to wreak havoc on today’s Internet settlers. Like the frontier of bygone days, the Internet provides a new way to for people to live and make money. Despite the risks we continue to use the Internet at an ever expanding rate! 

The Internet: A Modern Wild West

The Internet was conceived and built as an open system. Government, universities and large businesses at the root of the foundation of the Internet shared a common purpose and interest in having and maintaining an open Internet. For decades these open standards fostered a high-level of engagement and usage by participants. 

As the Web commercialized the Internet, those groovy open standards emerged as an on-going vector for attacks. In the 90s, attackers were often individuals writing prank viruses that were mostly intended to cause a bit of disruption and draw attention to the prankster and his l33t h4xs0r sk1lz. Nowadays there are serious and coordinated threats by organized criminals and governments to scan, monitor and infiltrate systems for all types of misuses. Information Security continues to grow in importance for governments, businesses and individuals. Vast data disclosures by retailers and governments have become a feature of our news. Spying, theft and sabotage have made way for even more insidious attacks like misinformation. And then there's GenAI, poised to generate all types of automated mischief spiked with intelligence.  

Security exploits continue to emerge at all levels of the stack. As one part of the infrastructure is tightened up, millions of new code is distributed to millions of systems. The attack surface grows faster than our defenses.

And yet, even as the threats mount, old problems persist! E-mail has suffered mighty abuse. The true source of the e-mail is easily forged. Phishers pretend to be from a known service or source. They masquerade as trusted interlocutor and get marks to disclose information they meant to keep secret. Users are bombarded by these types social engineering attacks that are made more effective when forging email through an open-relay mail server. Improvements have been made to the e-mail infrastructure; both servers and clients have gotten better. Nowadays, it has become common for email operators to utilize new mechanisms to insure mail has proof of authenticity. 

DevOps to the Rescue

Security threats emerge very quickly. They often put Ops and Dev on high alert reacting to new threats. Quick action is necessary to implement security patches and maintain operations. Even a flawless security operation will be faced with unexpected challenges on today’s Internet. Zero day security threats, serious threats that emerge without any prior notice, require the type of rapid response, central control, communication and automation that a fully functioning DevOps environment provides. 

The Security Perspective - Risk Mitigation and Monitoring Tools

The Security Perspective

1. Growing roll of security
2. Regulatory and industry compliance
3. Zero day threats require constant vigilance
4. Suite of monitoring systems

The ubiquitous threat and constant reporting of all manner of security breaches is finally starting to elevate security concerns within the enterprise. Companies historically were willing to give lip service to security, but they were a lot less likely to commit to costly security programs and additional time and effort to enhance security. Security is complicated and time consuming. When security is added as varnish over an existing process or product it will be ineffective. Security must be addressed throughout the life cycle of the product and throughout the organization. Increasingly security is being promoted within the organization. C-level executives are being appointed to guide security horizontally throughout the organization. 

Security is about reducing risks. But risk cannot be completely eliminated. If you are going to do something, anything, there is some risk involved. If you want to completely eliminate risk, do nothing, put yourself in the closet and close the door. It should be noted, that security is a process, not a destination. You need to continually reevaluate your security position and adapt to changes. Modern applications need to be regularly tested for emerging security vulnerabilities in code, included libraries, operating environments and practices. Tactical security requires defining a perimeter, choke points, and other means to limit access to your goods. On many occasions Ops will try to define the perimeter inside out. 

While security is a concern for any organization that wants to survive, organizations in regulated industries are required to pay particular attention to security. If your business handles credit card data or health care information it will be subjected to all manner of scrutiny including extensive questionnaires, audits and regulations. Organizations need to be able to demonstrate they are handling data in a secure way. They will need to have policies that provide an overview of management’s position on the rules. They will need to have procedures that detail how policies will be enacted. Finally, they will need to document adherence to policy and procedures in order to provide evidence that the organization is adhering to those same policies and procedures. 

Security has a number of dedicated tools to assist with enforcing policies and providing evidence of compliance. These tools are monitoring tools focused on specific security concerns. Perhaps the most familiar application in this category is virus protection software. A mainstay on computers in this day, virus software scans your files for signatures of known viruses. Regular updates to your virus signatures are required in order to keep up with emerging threats. Virus scanning software does have the unfortunate impact of burdening systems with a disk intensive process. Particularly on servers, a balance must be struck between how aggressively virus scanning performs it work and keeping the system running so it can perform its function.

Monitoring Tools - DLP

Another application in this class of security monitoring software is called Data Loss Prevention (DLP). Data Loss Prevention (DLP) is used to deter and detect if data is “leaking” out of the production environment. DLP programs are installed on servers, and other systems like operators’ desktops and laptops that access secure data. These programs may also work down at the hardware level disabling USB ports to prevent downloading sensitive data (or any data at all) onto a thumb drive. They may also enforce screen savers and locks to keep prying eyes or sneaky hands off your computer when you are away from it.

Monitoring Tools - WAF

Twenty years ago, it was not uncommon for organizations to connect to the Internet with just a router and without any firewall. Firewalls are now commonplace. Increasing a requirement is a type of firewall called a Web Application Firewall (WAF). Traditional firewalls operate at the network level. They filter out unwanted traffic aimed at applications and services that could be used as a vector to launch an attack. However, a typical firewall does not distinguish between authentic web traffic and malicious traffic that is encapsulated or hidden in benign looking web traffic. This is where a WAF comes in. A WAF is smarter than a traditional firewall. It knows details about the protocol used to transmit web pages. It can discern non-conforming traffic that may exploit weaknesses in the application. A WAF can also include a white list of allowable requests that can be made to the application. 

PCI Requirements

These monitoring tools are requirements for the Payment Card Industry (PCI) standard. They increase the security of the application in real-time and provide historical logs that can be reviewed after a security incident for forensic analysis. Even when they are not required by for a certification or a standard, they are best practices. They may not all be suitable for all environments every time, but they should all be considered. A conscious decision should be made before forgoing a best practice.