Easing the tension between data security and automation
Automation is at odds with data security in the enterprise. Why?
The crux of the issue
Automation increases productivity by harnessing the power of machines. Quite a few servers can be purchased or rented in a cloud for the price of one human information worker. However, accessing enterprise data, particularly with the speed and volumes at which machines work, breaks myriad policies crafted and enforced to reduce the risk of proliferating and exposing said data. I ran across these conflicting forces recently while building an automation.
The automation scrapes some internal web pages containing viewer metrics and inserts them into a set of spreadsheets. Next the spreadsheets are moved to a network folder where a second automation detects the new files and uploads them to a specified location where my colleague notes any activity or trends that need attention. We love it. Then, after several weeks of successful runs, it failed due to an expired security secret. Our data access governance policy requires certain system credentials to expire on a regular basis. Good for security. Expired credentials break automation. Bad for productivity.
Regularly expiring security secrets is a clear best practice, but does it need to break things? The automation saves significant time for my team, but it is merely reading data from one location and reformatting it for easy analysis in another. Does the automation really need to run at the same level of privilege as me, a human? There’s got to be a compromise in there somewhere.
Compromise
Here are two options that come to mind that may serve as a compromise:
Option A
Issue a warning five days ahead of expiration, giving time to renew it before anything breaks.
Option B
Issue service credentials specific to the automation task with the least privilege required.
Treat automation as another type of user
Both options respect data security requirements of the organization, and through a tiny bit of increased visibility and communication between the business and security operations (SecOps), a prudent and effective solution is possible. A bit of well-reasoned compromise can ease the tension between data security imperatives and productivity-increasing automations, and, most times, neither side loses, which means the business wins.
Automation introduces a new user into enterprise governance called the machine worker. It brings implementers of security policy and automation together. Organizations who recognize this new user and consider its actual requirements in finer grained detail will escape zero sum tension, establish safer data use practices, and realize the business gains offered by productivity-enhancing technologies.