A Proactive Approach To Securing Your IT Automation Environment
Automation environments continue to grow, expanding to encompass more connections, endpoints and processes across the enterprise. This includes sensitive data and processes that are critical to the day-to-day operations of the organization.
Automation environments are often highly centralized, enabling users to monitor and manage a wide variety of business and IT processes across virtually any environment. This makes it possible for users to standardize governance across environments, streamlining compliance and preventing unauthorized access to critical resources and networks.
As automation environments expand, so too does your attack surface, offering more points of entry for unauthorized users.
Fortunately, workload automation solutions provide a range of tools and capabilities that help improve and strengthen the security of your automation environments.
How To Simplify User Permissions
Object-oriented automation solutions use modular objects that contain their own information or data within fields. This makes it easier to create and modify objects throughout the automation environment, including security and permissions. Typically, in an object-oriented automation solution, an object can be a discrete task, a collection of tasks, a folder, a user account and more.
Object-oriented software enables IT administrators to set granular permissions for any object. However, it is recommended that permissions be assigned to groups rather than individuals in order to simplify administration. For non-user objects such as processes, IT administrators should set a default policy that follows the principle of least privilege — set the default for all objects to the lowest permissioning possible while providing enough access for users to complete necessary tasks.
This makes it possible for administrators to ensure that unauthorized users will not be able to access sensitive or critical objects, while making sure that different IT teams have customized access to meet their needs.
Additionally, a workload automation solution should be tied to the LDAP you use for directory access. For example, if your IT department uses Active Directory, you should look for a workload automation solution that supports the Windows Security Access Control model. This way, IT administrators can use existing accounts and groups within Active Directory to manage access to objects in the automation environment.
Using Virtual Roots
Virtual roots should be used to provide role-based access to the automation environment, when possible. Virtual roots enable groups to connect to subfolders with the environment, giving users within that group access to only that subfolder and the objects nested under it.
Virtual roots can also be used to create multiple environments within a single job scheduler. For example, if your developers and QA team need separate environments, each group can connect to a different virtual root, segregating the environment while enabling administrators to monitor and report on all objects and actions.
Automation Touches Every Part Of The Business. Is Your Automation Secure?
Get best practices for establishing enterprise-wide governance and security policies. Reduce errors and unauthorized access.
Encryption And File Transfer Security
Most workload automation solutions have three main components: a job scheduler, an execution server and a main console or GUI. Communication between these components should always be encrypted using TLS.
Automation solutions are frequently used to transfer files and information between departments, office buildings, data centers or business partners. Automation solutions should therefore support secure file transfer protocols such as SFTP, FTPS, OpenPGP and more, as well as web-tunneling.
Additionally, job schedulers should be tied to specific ports when possible, as opposed to using random ports, with port forwarding and port binding to support execution servers in the DMZ if needed.
Auditing And Compliance
Audit trails should be stored for all objects, including users, in order to ensure visibility into all changes and events. In object-oriented solutions, objects are often fully auditable from creation to deletion so that all modifications and actions are detailed and recorded.
IT administrators should also require users to provide additional information before modifying a workflow or object. This requirement should be placed directly in the object where possible. Required information can include the user’s name, his/her reason for the modification, who authorized the modification and what the goal of the modification is. This information is then included in the audit trail and can be easily accessed to meet compliance requirements.
Multi-Factor Authentication And Credential Management
In order to strengthen access controls to the automation environment, especially where web- or mobile-based consoles are being used, administrators should set up multi-factor authentication. This can include providing a username and password as well as a keyfile or passphrase.
Additionally, workload automation solutions will often provide direct integrations with privileged access managers (PAMs). For example, this can allow a workload automation solution to dynamically retrieve credentials from the PAM tool at runtime, effectively hiding user credentials from the automation environment. This provides an additional layer of security and simplifies credential management.
Ready to simplify your data warehousing with workload automation?
Schedule a demo to watch our experts run jobs that match your business requirements in ActiveBatch. Get your questions answered and learn how easy it is to build and maintain your jobs.