With organisations utilising new technologies in the age of Digital Transformation, it is vital that the security surrounding innovation is up to standard. Amrit Williams, Vice President of Products at Skybox Security, tells us why fluid security’ practices are so important in developing a successful security programme and thus relieving pressure for CISOs.
As organisations forge ahead with their Digital Transformation initiatives, there is a growing burden being placed on their security teams. Their workload is only mounting as more businesses move towards cloud-first, or even cloud-only, infrastructure. As well as being expected to secure new services, these teams must simultaneously manage the security of the prevailing on-premise infrastructure and assets.
The promise of cloud-only environments is appealing: when properly executed, it promises to eliminate network fragmentation. But there are a number of challenges associated with the implementation of each new service and device that are becoming increasingly difficult for the CISO and their team to navigate.
The complexity inherent to managing cybersecurity is continually ramping up. This is certainly true for managing the security around both public and private clouds. Although these are services that are usually supported by a variety of cloud service providers (CSPs), they are also regularly misconfigured. While the cloud promises great benefits for the business, there is a long road to actually seeing them come into fruition. If the security surrounding innovation is not up to par, it could end up doing more harm than good.
Using fluid security to secure innovation within complex hybrid networks
For a majority of organisations, hybrid networks have become standard. This means security teams are required to manage a growing attack surface made up of on-premise IT, OT, cloud and third-party environments. This has created a stressful environment for CISOs who are tasked with preventing any mishaps. Never before has there been a greater need for a robust, focused and lasting risk management strategy. One such strategy focuses on developing ‘fluid security’ practices – this is a strategy that is popular with some of the world’s largest and most complex businesses.
Fluid security places a heavy focus on developing a unified, agnostic and continuous security programme. This involves establishing processes that control the security of the network environment until it is no longer required while guaranteeing that the varied security environment doesn’t include any redundancy – whether that be in technology, employees or processes. When properly applied, security teams are able to support changing enterprise needs at the drop of a hat with negligible impact on the rest of the business.
Prioritise data equality
In terms of security, being data agnostic means that, regardless of the source, data must be stored in a central hub, and like-data must be normalised and amalgamated, irrespective of environment type, vendors, etc. Data should be integrated into clean datasets, eradicating duplicates, to facilitate more effective analysis. These data handling processes need to be the first steps taken to guarantee the successful simplification and centralisation of a complex, fragmented environment.
Once the data is centralised, the next step in reducing the complexity of that data is to find a way to model it. By creating an always up-to-date model of hybrid network infrastructure, security controls, assets, vulnerabilities and threats, new possibilities of insight into the interrelationships of a network can be revealed. Modelling can help an array of security management processes, unifying teams with a comprehensive overview of a business’ attack surface.
Eradicating disconnected processes
Having disconnected processes in a hybrid environment is a common pitfall, primarily because individual teams are made to take responsibility for separate areas of the network. In a growing number of workplaces, the problem of operational siloes goes beyond security and operations teams and is also an issue for DevOps/DevSecOps teams.
While each team has their own specific task, the procedures that make up their everyday role must point towards a single aim. Taking DevSecOps as an example, they may have processes for ‘security in code’, but any updates to new or prevailing systems could have consequences for compliance status. Owing to this, they will need to be constantly observed in case their risk status changes.
In this instance, having full visibility of cloud networks is vital. It’s only with a comprehensive understanding of the environment that security teams are able to identify and analyse vulnerabilities within services and containers. In addition, when considering policy compliance, the testing of accessibility, security tags, cloud firewall rules and configurations by security teams is also a necessity.
These scenarios all illustrate how beneficial a hybrid environment model can really be. Offline models can be regularly updated via application programming interface (API) connections, which means that security and operations teams do not need administrative access to cloud platforms. When this is in place, security teams can complete necessary tasks with minimal disruption to the deployment of the cloud. If a violation or risk were to be identified, the problem can be removed when security and operations teams report back to DevSecOps and perform necessary amends together.
Replication of risk
To safeguard the longevity of any fluid security strategy, ongoing cyberhygiene processes designed to reduce risk and compliance violations are also important to take into account. Often, there’s a tendency for teams to ‘set it and forget it’ during deployments because cloud services often have short life cycles. This is a habit that needs to be wiped out: it simply doesn’t work well with the way that DevOps teams are set up.
Work conducted by DevOps professionals is founded on replication. This relates to their activities – say, replicating the simple creation of container-based services, the move from image to instance, and so on – but it also means that risk can be easily replicated within cloud services on a faster and wider scale that it would do within on-premise infrastructure. That’s why cloud services should be treated with the same careful consideration that is given to other areas of the infrastructure, even if the processes and tools that need to be used to achieve that vigilance are different.
Making sure the data handling and unified management processes described above become the standard is the only way to guarantee the future security of hybrid networks. By taking a fluid approach to security, the right foundations will be in place to support an established programme ready to cope with today’s challenges and to support innovation going forward. While cloud is now viewed as a ‘must-have’ technology, innovation is being spun-up so quickly that dynamic computing could be a very different beast in a matter of years.