Cyber threats against enterprises continue to rise, as more people are connected to the Internet, the criminal underworld continues to grow and mature, and state-sponsored attacks are on the rise. Regulations of cyber security continue to grow. And IT organizations continue to evolve at an ever-increasing pace. The move to the third platform has ushered in massive changes in the way enterprises are leveraging technology. Organizations not embracing the changes will continue to lag behind their competitors.
The traditional enterprise security architecture must evolve to accommodate agile IT, with more virtualized computing that can be portable and elastic. These environments increasingly include orchestration to deliver compute on demand. Concurrent with these changes, agile software development and devops-style application delivery require freedom for developers and have compressed delivery cycles. This could seem at odds with security’s typical controls and compliance requirements.
Security operations, processes, and solutions haven’t evolved at the same rate as the rest of IT and are not capable of maintaining pace with the rapid rate of change. Security controls are not fully automated. History, and audits, prove that enterprises are not consistently winning against the adversary.
At the same time, enterprises are embracing cloud computing, both private and public. The traditional model of protecting enterprise data does not translate well to the cloud computing model. Even to embrace cloud technology in a private cloud strains existing security technologies and precludes the use of established security solutions.
In order to establish a methodology to secure users, data, and computing, enterprises must focus on protecting users, data, and computing where they exist. Much progress has been made to secure users in their mobile platforms and everywhere they touch corporate data. Encryption is being used along with other technologies to secure data in motion and at rest, but the compute environment (which has gone through many transitions with virtualization already) hasn’t been well protected.
Servers that once delivered applications, scaled vertically. This function has, through virtualization and abstraction, evolved into a dynamic compute environment that scales horizontally and is the building block of the application delivery environment.
As that compute environment changes, in scale and location, it must be protected. As IT embraces DevOps, so too must SecOps embrace a more agile method. Legacy approaches that wrapped security around the environment where those workloads existed don’t translate to private clouds well and can’t operate in public clouds where the infrastructure isn’t owned by the organization which owns the workload. The shared responsibility model for securing public cloud deployments requires organizations to be responsible for securing what they run in the cloud.
Embracing the benefits of a dynamic compute environment doesn’t remove the security and compliance requirements. Organizations must be able to deliver both security and compliance in a way that can scale automatically and be orchestrated across hybrid environments. In order to accomplish this, consider the following recommendations:
- Establish processes to build new workloads in a manner that enables a consistently secure configuration, following guidelines such as CIS, then audit deployed workloads for compliance
- Continuously monitor for new vulnerabilities in both operating system and applications
- Monitor system logs for signs of intrusion or attack
- Control user accounts across all workloads, with a least privilege model. Prune unnecessary accounts as needed and monitor usage for signs of anomaly
- Enable network access control for workloads in an automated orchestrated manner and enable two-factor authentication for administrative access
- Monitor the integrity of critical files and alert on any inconsistencies
These are not new ideas, and security best practices have not fundamentally changed, but the environment we must be prepared to operate in has changed. Security must be delivered to a workload anywhere, on-demand, at any scale. This can only be accomplished through integrated automation and orchestration, aligning security and compliance approaches with those of the agile application delivery driving the rapid change in pace.
The legacy perimeter network-centric approach to security must evolve. Having these fundamentals of security for the workload occurring as close to where compute occurs, moving beyond network controls, will enable the environment to be as dynamic as needed and scale to demands in real-time. Going forward organizations must ensure that IT can be implemented in an agile way while maintaining security and compliance.