I’m a big fan of automation. Automation means I can do more. Automation means I eliminate the mundane stuff to focus on critical things. I like automation as an IT professional. However, as a security professional, a question that is ever present in my mind is,
“What if someone tampered with the process?”
Case in point: you have an automated process to build VMs. That includes configuring particular security groups for a particular type of build in the local Administrators group (you should already be doing some of this with group policy, but that is automation as well). What if an attacker was able to slip into the automation to include a particular account or a particular group? How long would it be before you caught it? This is why I’m a big believer in a human putting eyes on automation results at some point and relatively frequently at that. In fact, I’m a big believer in multiple levels of verification. Maybe it’s my military background and things like the two person rule. If you’ve watched a movie like Crimson Tide you’ve seen it in action. Two people have keys that must be used together. This ensures that one person, acting alone, can’t do something devastating (in a relative sense). I know there’s a balance to be met. Too much manual effort and you undo the benefits of automation. However, too much reliance on automation and you’re eventually going to miss something.