ARTICLES

Compliance Automation for the Cloud

The cyber security vendor landscape is...abundant. To say the least. TAG Cyber has approximately 1,700 vendors listed in our vendor directory, and that number is likely not exhaustive if you consider every small pen testing firm, every startup still working in stealth, and every analytics platform that isn’t strictly considered a security product. If you want to be a little more selective and only count the companies who offer products and are financially solvent, 650 security vendors had booths at RSA Conference 2019. And those booths don’t come cheap! Most small or early-stage startups can’t afford a show floor presence even if their technology is terrific.

Let’s say there are 750-1,000 viable vendor product companies in the commercial market and the average organization has ~50 different tools deployed[i], ranging from their SIEM to their email gateway, to identity and access management, firewalls, API security, network detection and response, data protection, and more. On top of deployed tools, it’s likely businesses are evaluating at least some new or replacement tools, meaning, security teams must fully understand the features, functionalities, and deployment and management requirements of each technology. That’s a lot of vendors and requirements to track, particularly considering that most organizations’ security teams are understaffed.

The industry has been talking about automation for a long time, and we’re now at a stage where automation—at some level—is expected in the vendor tools we buy, deploy, and manage. There’s simply no other way to scale. But what’s missing from the discussion about automation—largely speaking—is automation at a cross platform level, meaning, automation for deployment, management, and compliance across every security tool in an organization’s environment.

Automation, discipline, and repeatability

As crazy as that sounds, this was Andrew Plato’s dream. In 1995, Plato founded Anitian as a value-added reseller (VAR), reselling the breadth of security products then available on the market (which is not an impressive number compared to today). Plato then added managed security and professional services to the business, focusing heavily on the compliance space. During this period, Plato saw firsthand the need for automation, discipline, and repeatability in security. “What companies were lacking,” he told me and Ed recently, “was an automated platform that could remove what is a languid, complex, meandering, error-prone process every company endures when deploying and managing security tools.”

As such, Plato, now with the title of CTO, took Anitian in a new direction—building on his past experiences—to develop such a platform. Its purpose would be to take the tediousness and resource intensiveness out of tools deployment and management, making the process (or iterative processes) faster and cheaper.

“The crux of the problem,” he said, “is that there are too many vendors and each one is a component of a security solution. CISOs don’t care about any of the component parts. Non-technical executives don’t care about individual technologies.” If the goal of the security program is to reduce cyber risk—and it should be—why should it matter if the organization has product A versus product B, as long as both are technically sound? And, if there’s one thing I can tell you after hundreds and hundreds of vendor briefings and conversations with enterprise security end users deploying and using these vendor products, for any one of the 54 product categories defined in our taxonomy, there are at least a handful of comparable players that could be interchanged. Yes, different individuals and different companies have product preferences, and some products are better at one thing than another, but there’s always (always, always) competition that could accomplish similar results (marketing speak aside).[ii]

A layer between CSP and apps

Thus, Plato’s dream was for security to transform from an impediment that slows down a business to an energizer that speeds it up. To realize the dream, he said, he and his team “built a platform that targets the primary cause of this slowness—integrating all those tools.” The main idea is that, when security tools are united into a single, automated platform that is pre-engineered to meet best practices and compliance requirements, security and compliance are no longer impediments that slow down development, but rather can accelerate it.

Today, Anitian's primary message is around compliance automation that gets companies to the cloud fast. The platform is a layer that sits between the cloud service provider and the customer’s applications, and is squarely focused on high-performance cloud-based apps. After an automated deployment (of course), Anitian gains control over the customer’s application access network (WAF, load balancer, NGFW), tech stack (e.g., Tenable, TrendMicro, GitHub, elastic, etc.), and admin access network (Bastian, proxy, dev tools, jump host) and creates a hard boundary between the corporate network and Anitian’s high-security environment. Plato explained, “Everything is contained within our environment, starting from a known-good state.”

Because all assets are net-new in this environment, Anitian can certify that they are clean from a vulnerability standpoint. After data and apps are migrated into the environment, the platform wraps security controls around every application and check that all configurations are correct and align with zero trust principles.

Bringing security tech together

The reality today is that companies consume technology piecemeal, yet it all must work together—and security and compliance risk can’t be introduced in the process. Managing each tool separately is an operational nightmare, yet most of this integration and compliance work is currently done in-house, thus eating up precious resources (if it’s done at all or done correctly). By working with Anitian, companies offload their operational and compliance headaches. For its part, Anitian simplifies its own operational process by making it highly automated. The last piece is probably of lesser concern to buyers—as long as it doesn’t take endless dollars to create golden images of their technology and bring it into compliance, it’s not their headache. Still, the automation is noteworthy because it helps mitigate the risk of human error.

Because Anitian integrates directly with the CSP, the customer’s apps and data are moved seamlessly into an environment where everything is built as a clean copy, compliance checks happen automatically, and the platform promises a rapid time to deploy, customers essentially hit the “easy” button by purchasing the platform. While the budget line item for Anitian might be an initial shock when compared to typical product spend, potential customers need to consider the internal cost savings that are offset: the people hours, production hours, and the backlog created when a new tool is deployed; deployed, configured, or integrated incorrectly; or is out of compliance. Since so much of the tool is automated, Plato says the ROI for customers is generally much higher than they expect, especially when they consider how rapidly they can move to the cloud and affirm compliance.

In closing, Plato told us, “Our goal was to bring the power of software automation to something that is resource intensive and make it faster and cheaper. This is especially attractive to customers who use multi-cloud and who need built-in compliance.” Anitian says the value prop is that they’ll run, monitor, and manage customers’ entire environments, bringing them into compliance quickly, and reducing the threat of exploit.

_________________________________________________________________________________________________

[i] A 2019 Ponemon study estimated that businesses have 47 tools deployed. https://www.businesswire.com/news/home/20190730005215/en/Ponemon-Study-53-Percent-Security-Leaders-Don%E2%80%99t#:~:text=a%20timely%20manner.-,Key%20data%20points%20include%3A,investments%20in%20technology%20and%20staff.

A separate study by Palo Alto networks estimates the average between 50-60 tools for medium sized businesses, reaching <130 for enterprises.

[ii] It’s why TAG Cyber refuses to stack rank vendors. Stack ranking is a silly process that is meaningless without context and individual requirements accounted for.