There’s no doubt that cloud computing, DevOps, and the speed of modern delivery is dramatically changing security. To get a sense of how this looks from the seat of the CIO, we turned to Steve McAtee, CIO at Vibrant Credit Union. Vibrant is a $500 million credit union based in the Quad Cities of northwest Illinois and southeastern Iowa. Rather than throw more technology at challenges, McAtee likes to view how technology can be leveraged to drive better outcomes and business value.
This is why he is the perfect CIO to turn to for a discussion on cloud security and DevOps.
Evident.IO: How do you see the rise of DevOps in the enterprise changing the skills needed in IT?
McAtee: There’s two states of mind, maybe three, when you look at someone that’s been in an IT career for a while. For instance, when I was coming into the work force, and starting out in information technology, we didn’t have anything virtualized. It was all physical hardware and the two areas of expertise were software and hardware. It was simple. And on the software side, you had Microsoft Windows experts that grew up using a mouse. They are trained on, “Oh this is easy. I know this screen. I can click on a few things and get things done.” Out of the box you could configure a Windows server.
Then, several years later, we learned that you don’t want to put a server configured like that out on the Internet. And today, with everything in cloud and moving continuously, the problem becomes that clicking boxes isn’t a skill that scales in the cloud/DevOps world.
Running through mouse clicks isn’t how the current cloud works. The current cloud works through scripting. Whether you’re in DevOps, or whether you’re provisioning an environment or deploying an app, there is programming scripting knowledge required.
Evident.io: How do you see automation changing the security landscape?
McAtee: When you look at AWS and the massive amount of scripting involved in running the cloud, scripting is the in-demand talent. And when I’ve talked to many organizations that have been Microsoft based, IIS based, ASP. Net based, and then the organization decides they are going to the cloud and embrace DevOps capabilities, it becomes very hard for them to make the transition because they see their team sees their world as instances of Microsoft Windows servers, not as nodes in a cloud.
Also, when you look at the automation that’s happening on the compute side, I think you’re going to see the salaries of a very few start to skyrocket. It’s going to be the skillset that can script the various components together that sees those increases. I purposely left the word cloud out of that thought. That’s because it doesn’t matter where it runs. It could be on the cloud, it could be on-premises; but if I can script components together, script the network pieces, and script compliance, then I can automate many things and eliminate a lot of IT jobs. I think that’s where the world’s beginning to go.
And we started seeing, probably about eight years ago with VMware, the beginnings of consolidation and automation. Back then, we needed perhaps one system administrator per 10 or 20 physical servers. And if you are running 100 servers, well, all of a sudden you can bring that down to five physical servers and you only need two people to run that.
Evident.io: How is this changing the enterprise’s approach to security?
McAtee: I think, today, the challenge with security is when you have to secure both on-premises and cloud. You still have to pay attention to the security for the old on-premises environment. In on-premises systems, it’s important to make sure that no one can get over the wall, under the wall, or through the gate. Why do organizations still have some of those on-premises legacy systems? Many times, it’s because they don’t really apply themselves to the cloud.
At least if you’re in the cloud, you can run compliance across the network; but legacy systems still have an antiquated means of talking to the network. It’s a challenge because the antiquated means of managing logs requires a lot of advanced log aggregation to get insights. In cloud, you can use a common convention to look at security, and look at compliance across multiple compute nodes within that environment.
When it comes to on-premises, you can get secure, but you have to go inside the box to understand anything. You need to see when this system was last patched. How was it updated? Who has admin rights over this?
Evident.io: How do you get the security team on board with this new world order that you’re describing?
McAtee: This is almost similar to when we went through Y2K. Back then, I watched a bunch of shops taking COBOL programmers and teaching them Microsoft Visual Basic. And they ended up with a Visual Basic application that really ran poorly, and eventually, the application had to be rewritten. To me, cloud and DevOps are such a seismic change that, just like in Y2K, you really have to look for the folks that are going to do it right.
But you also have to build a modern team of these skilled individuals with the skillset and the scripting capabilities you need. Because they are going to need to automate and script a lot, especially when they are told that they are going to be examining not the current 5,000 events a week, but about 200,000 events a week.
You have to begin to challenge them to be able to do that. It’s best to approach this as a team, because when individuals are faced with a mountain to deal with, they will often fail. Whereas a team can come together to collectively to rise to the challenge.
Evident.io: How do you see this changing security operations?
McAtee: I think with DevSecOps, and when you look at the cloud and the growth of infrastructure and how quickly things are happening, that your traditional security model doesn’t work. And by traditional, I mean when you have a server you want to deploy and you toss it over the wall to security. Security then goes through their checklist and validates it’s compliant to policy. But it’s impossible to do that manually when you have 30,000 servers to look at.
That’s why many in security are looking at how they can automate their checklists and alert the right people when there us a gap between the state of the server and what it should look like.