Using Rules Engine in the Automation of System Security Review

Abstract

Best practice has determined the importance of reviewing the security design and architecture of a system early in the system's development life-cycle. This is done to ensure the security of the developed system. The review of a system design to ensure compliance with policies, standards, and best practices oftentimes takes the form of a manual. Utilization of this method can be a time-consuming process, where the security team reviews the design and architecture. Often times, this process can contradict the agility provided by implementing DevOps; a practice that promises agility throughout the System development life-cycle. The DevOps system creates a capability for automating processes that assist in the building, testing and releasing software created by IT teams. The contradiction demonstrated between this automated assessment practice and the more archaic manual review practices, frequently depict the security team as show-stoppers. Given that the security team is then responsible for ensuring quality standards are met, the release of a system can be delayed due to the human element when it is possible to automate this process and remove the human variable. This process can be effective except in cases where the system being assessed does not align with the predetermined framework provided to the automated assessment process. The process to be automated is designed to review the security architecture of systems and application commissioned throughout the organization's network. The manual process begins with the application of a questionnaire submitted by the project lead. A security analyst is then responsible for then manually reviewing the submitted questionnaire. This review involves the assessment and analysis of the designs elements as well as all of the controls present in the process. This would include controls such as the various authentication, authorization controls, accountability controls, network communication protocols, encryption, application and service accounts, the application security requirements and any other related controls. This process can be extensive and would get extended with more complexity the reviewed system gets. The goal is to maintain the same level of security maturity provided by the process while enhancing the processing time. To achieve this goal, I have developed a rules engine that incorporates all of the required security controls and translates these controls into questions and answers. Each answer is stored with the approval status and the required approval level, or approver. The rules engine will determine whether the request is approved, not approved or requires additional manual review by the team. If the request is approved the application will assign the required approver (data owner, system proponents, access management, etc.). After the approval workflow is completed, the requester must submit compliance items proving compliance with the provided information. This innovative rule engine application is dynamic and the rules can be changed and adjusted based on requirements of the organization's policy. The new process has been able to reduce the average time of the process down to a single hour. Through the reduction in time spent on reviewing the security design and architecture of system design, an organization is able to demonstrate a much greater efficiency throughout its operations.