Posted: May 9, 2017

Complexity is the enemy of security.
Complexity is the enemy of innovation.
Complexity is the enemy.

Perhaps I’m being silly with the lines at the top of this post. On the other hand, maybe we should all recite a litany against complexity every morning, especially when it comes to healthcare technology.

I attended the Alabama CyberNow conference the other day, and one take away for me was a reminder of the growing complexity and technical vulnerabilities in our everyday world.

The domain of security professionals has grown over time. Modern web applications live across datacenters and cloud providers, use multiple coding languages, and contain a variety of third-party integrations. In short, modern applications are complex collections of services.

All this complexity creates places to hide. Imagine your environment as a maze, like the ones below. Using your own intuition, which maze is easier to solve? Even the smallest modern applications tend to live on environments that resemble the maze on the left. Each technology, service provider, or integration point increases complexity.

complexity-map

What's the solution to complexity? Well, it's thoughtful design and automation.

While development teams have gotten the grasp of these concepts and adopted "DevOps," most security teams still largely operate in a manual fashion. I would propose that Security and infrastructure teams use automation to simplify infrastructure, make systems easier to administer, and frankly, eliminate the human element.

The goal is deployment, not installation. In this case, deployment means the provisioning of an already fully baked system with an automated orchestration tool. Installation means doing things the “old way,” manually running installers on production hosts, editing config files, etc.

If a deployment fails, the development team re-deploys the last good version. No tweaking of data in hidden corners of a production application should ever be necessary.

Given that cloud resources are software defined, operations and security teams should plan and configure cloud resources via pre-defined configuration templates. Provisioning of infrastructure such as subnets, access rules, and virtual machine should never be done in a graphical user interface (GUI).

Our entire infrastructure should flow through an organized system development life cycle (SDLC) of requirements planning->design->dev->test->deployment->monitoring.

Tools like Amazon CloudFormation or Hashicorp Terraform allow teams to build an entire collection of services in a defined, planned manner. Given enough coordination and practice, it is possible to redeploy an entire infrastructure.

Is this strategy obtainable? At least partially, yes.

Want to know more about security in healthcare technology? Read our post, 3 Security Questions to Ask Your Website Vendor.