We now have a situation in which, we have increasingly attempting to simplify the way we do business, solution design and think through the security implications in the form of Non Functional Requirements, which may impact the ecosystem, environment in which that system will exists, whether it is within Cloud services or within virtualised systems, including Microservices. As we embrace these increasingly complex environments - we have to prepare to get more involved - it is not a question of throwing modules like Component Models with white boxes with both inputs and outputs, but with the expectation that they have communications needs and protocols and verification of inputs even within an environment made up of containers or Docker./Kubernetes etc. Granularity, Cohesion, Scaling come to mind rather like Service Orientated Management Architecture or SOMA for Service Orientated Architecture (SOA) e.g. web services including JSON etc. The Ready to go community have expectations that Application Programming Interfaces (API's) can be rapidly used to download a capability e.g. via mobile phones and instantly the functionality they require is instantly available. They don't have to think about the backend implications, for instance whether the infrastructure is sufficient to support their demands, it is instantly available. The expectation is it will always be available regardless. However, behind the scenes the complexity is increasing and we see the need to introduce automation to assist in the day to day tasks. We need to ensure the people who come after us, understand no matter how great the capability, there is a great deal of complexity involved behind it all, maintaining, and supporting it. You still need to fully understand, to ask the right questions, and set the expectations of what security and privacy controls that need to be inherently designed and implemented, with the greatest risk being a monumental public mess occurring on a regular basis. Can we automate security to the extent that we can reduce the likelihood of these enormous faux pas occurring? Or can we expect these to keep occurring and keeping us in useful employment for many years hence?
I'm just starting to investigate the introduction of automation (Ansible) into the RMF task I am currently supporting. I do believe that automation can remove some of the mundane processes that I support now to free me up to perform more of the investigation and discovery that is needed in learning the system.
I don't want to "interpret" what you wrote but I do want to add AI to the conversation and postulate whether we can add critical thinking and analysis to the automation? If I take AI at face value to mean that it's a replacement for human mental processes a time should come when that will be possible.
As with anything else, if it's made by humans, it will be flawed and that will also have to be dealt with.
@Flyslinger2I agree Automation and I have to be careful here (AI) i.e. Augmented Intelligence not full Artificial Intelligence as we have not achieved this as yet. My organisation actively develops and uses AI on a daily basis, and we make a lot of our materials available freely, for collaboration purposes with the community. However, my point is we are increasingly creating a very complex environments on one hand, and with the other we are simply creating modules which carry out specific functions. We have to be very careful, that as you state don't just accept this as the normal behaviour, without challenging and acting as leaders to ensure that balanced outcomes are achieved - but also training and mentoring the next generation to not simply accept everything they come across as the truth.
My example includes architecture; and with the drive towards the cloud as the norm, we are in danger of merely accepting everything that is put in place, without understanding the implications and balancing the risks with appropriate controls - balanced against the trend towards just do it i.e. just buy a service and everything will okay Jack attitude. We still have to train people to "think" not merely fall into the group think murky pond.