Security Essentials in a Digital Worldtechnical security opinion
Security Essentials in a Digital World
What does being Digital mean
Companies are either being disrupted or transforming themselves to be digital businesses. The core purpose of this transformation is to develop the capability to innovate at speed to compete and win.
And the changes this transformation introduces are more than just the technology. In order to truly transform into an agile and responsive business, requires change from both business and IT. In simple terms this would mean changes to how services (both business and technical) are designed, built, deployed and accessed by the customer. So essentially changing the company’s operatinal model.
As companies fundamentatly change, how they do business it has an impact on security and compliance policies. Older security models and compliance policies don’t work with emerging technologies and modern agile practices.
The security landspace is changing. The cost in security breaches are significant. The hard cost of patching servers, and potentially a bit harder to measure but the lost revenue in terms of disruption to the business services. Though the most significant is the loss of customer trust and the damage caused to the brand of the company.
So, investment to prevent and contain breaches is highly essential. But you need to ensure the dollar is spent in the right way and on the right tools – tools that work with the new way of building applications, help you manage new types of workloads and integrate with the new processes that enable digital journey.
In terms of percentage, human error contributes to 48% of security breaches. So about 50% of risk can be managed by automation and standardised configuration to reduce human error. Vulnerabilities or attack surface must be monitored and managed to address the remaining half.
Now traditional security models of datacenters and applications are being disrupted by the new design patterns, processes used to build, develop and deploy them.
- Public and private clouds require shared responsibilities for regulatory compliance, security and data privacy.
- Container adoption changes how applications are designed and deployed. New tools and methods are required to manage the lifecycle of containers at scale.
- Mobile applications running on unmanaged devices further emphasis need to appropriate backend security
- Software defined approach to almost everything is dramatically altering the security landscape
Traditional concept of security assets using zones (like DMZ) is no longer sufficient and may not be relevant either. The threat environment or surface area of attack continues to evolve with organised crime being linked to identity theft, economic and nation sponsored espionage programs, and lon-wolf hackers.
Evolution of security
Security must be both proactive and reactive. It must be considered at every stage of your application and infrastructure lifecycle.
To do this effectively, you need to integrate security experts into your application, deployment and infrastructure teams.
- Design - identify security requirements and governance models
- Build - bake in security features into your application. Automate security testing as part of build pipelines.
- Run - run applications on trusted platforms with built-in security features. E.g. SELinux
- Manage - Maintain an up-to-date catalog of assets and monitor access and usage across the entire fleet, which could potentially be private and public infrastructure
- Adapt - Use analytics and automation to adapt; to revise, update, remediate as the landscape changes.
Security must be a continuous, ongoing activity. Revise and update your policies & governance as the landscape changes.
Security and Open Source
Open source software is driving this digital transformation. There are millions of open source projects.
So it is critical to understand the journey of open source code from upstream into community projects customer implementation. Some of the milestones in this journey are:
- Project/Package selection
- Manual inspection of code
- Automatic inspection
- Packing guidelines
- Trusted builds
- QA, certifications
- Enterprise Support
- Security updates/patches
- What application workload is being deployed
In closing Security is a continuous ongoing activity that should be default and not an afterthought.