The familiar decision to move one’s software development focus from traditional waterfall to Agile DevOps introduces the need for corresponding shifts in cyber security. Similarly, moving enterprise applications and systems from on-premise hosting to virtual workloads hosted off-premise in the cloud also requires changes in security. The best available solutions to dealing with these shifts offer means for using automation to provide continuous protection through the entire cloud workload lifecycle. These solutions also focus on improving visibility for developers, administrators, and users into the protection aspects of virtual systems. Obviously, this helps immeasurably with compliance and other required security tasks. As part of my research for the 2017 TAG Cyber Security Annual (you can download the three PDF volumes at https://www.tag-cyber.com/), I had the great opportunity to sit down with Carson Sweet from CloudPassage over sushi in Hoboken to discuss these ideas.
EA: Carson, how important is it for new and existing enterprise cyber security solutions to support Agile IT?
CS: It is very, very important. Agile IT can be viewed a broad, umbrella term for a combination of agile application development, virtualized cloud infrastructure, SaaS, DevOps, continuous integration and continuous delivery, and on-demand, as-a-service delivery. This combination of technologies and operational constructs has created a fundamental shift in how information technology is delivered to enterprise and consumer users. In fact, in my opinion, this the largest technological shift since the IT community moved from mainframe to client-server. When a shift this significant builds up momentum, security is often a top concern – so it’s critical for cyber security solutions to be “agile-savvy.” Those who don’t pay attention to this trend are soon going to find that security architects pass them over or relegate them to legacy environments.
EA: Since the essence of Agile DevOps is speed, do cyber security vendors have to adjust their concept of time? Specifically, is “continuous” the new normal?”
CS: Yes, I do think that continuous is the new normal. In fact, that is a great way to think about it. When CloudPassage started in 2009, we watched the way that agile application development completely changed the pace of competition. And now, compute, storage, networking, and now security, all share this pace, meaning that in order to keep up competitively, enterprises must get agile. Based on our work with dozens of the companies in the Fortune 1000, we’ve learned that they also know this.
EA: What’s been your experience with enterprise teams moving their applications and systems to cloud? Do any specific trends or observations come to mind?
CS: The biggest unspoken trend I see is that every enterprise goes through a phase where they aspire to agile, but as with most technology trends, they quickly realize that there’s no magic wand. Three years ago, every large enterprise was convinced they’d be able to do it all themselves. Over time, however, they realized that a system administration is not a DevOps engineer, and that a traditional, vertically scaled application can’t be forklifted to a cloud environment. They also learned that cloud infrastructure requires a skill set that’s in low supply and high demand. As a result of these reality checks, we’ve seen a big uptick in public IaaS adoption with large enterprises. This is interesting considering that enterprises consider agility critical enough that they must immediately adopt an alternative approach to getting there.
EA: Every cyber security expert likes to complain about that subset of compliance managers and regulators who don’t understand technology. How in the world will these individuals ever come to understand and approve the use of complex structures like dynamic micro-segments on virtual cloud workloads?
CS: Let’s hope that this situation improves with the passage of time and the installation of new leadership. Actually, the challenge with auditors and regulators catching up to technological change is really no different in this IT delivery evolution than in previous situations. Or instance, in the late 80’s and early 90’s, compliance teams struggled with the distressing idea that RACF and Top Secret were no longer the centers of the security universe. They soon got caught up with IP and Internet technologies by watching the industry leaders, who in turn helped drive some of the earliest compliance standards around that space. So it will take industry leadership to define what’s possible and tenable, along with sufficient time for this knowledge to percolate throughout the industry. History doesn’t always exactly repeat, but I think it does echo – and if that’s the case, we can probably expect financial services and telecommunications carriers to be the early leaders.
EA: Do you think that virtualization will really help the enterprise thwart cyber threats? We all know it saves money, but will it save assets from being attacked as well?
CS: It cuts both ways. One big benefit of virtualization – and the related, but more specific technologies of containerization and micro-services architecture – is that the infrastructure can become a moving target. This of course depends on the deployment model, because vanilla virtualization is usually more of a moving target than bare metal, but not as much of a moving target as containerized micro-services. Another benefit is that virtualization and the related infrastructure orchestration can drive new heights of consistency in deployment and configuration. However, this is an example of how something can cut both ways. That is, a bad configuration decision or mistake can turn a virtual machine template into the equivalent of Typhoid Mary, spreading exposure rapidly through the enterprise. So as with most new technologies, there are upsides and downsides.