Today, every cyber security vendor is in the cloud, but this wasn’t always the case. Until recently, the protection of virtually all enterprise assets was performed from within, presumably under the mature cover of a corporate firewall. This was a friendly and familiar architectural arrangement, especially for staid auditors, who took comfort that a firewall was ensuring gated community policy enforcement. The problem, of course, is that this approach has not worked. The complexities of the modern workplace, existing computing economics, and global business have forced every enterprise to open its coffers to the surrounding environment. For some cyber security solutions, this begs frenzied redesign, but for a select few, it offers confirmation of their original vision. My friend Philippe Courtot, CEO of Qualys, has had precisely this cloud vision for many years. From its inception in 1999, his pioneering company has performed vulnerability management from a holistic perspective, providing a continuous view and visibility of security and compliance posture across global IT assets, whether on the premise, end points, or cloud. I had the chance to compare notes with Philippe recently and here is what I learned.
EA: Philippe, does it surprise you how long it has taken enterprises to move beyond perimeter networks and embrace cloud and virtual environments?
PC: While we saw companies such as Salesforce.com disrupt traditional enterprise software, the security industry has indeed been slow to enable such a change. This is because ensuring security has the problem of asymmetry, where hackers need only to find one vulnerability to penetrate a company’s defense, whereas every company must identify all vulnerabilities and embark on the difficult task of eliminating or mitigating them. The result of this imbalance has been a myriad of point solutions to protect enterprise networks. Because of the nature of enterprise software, with its long and complex development cycles, enterprise security and compliance solutions were difficult to deploy and integrate with each other, which explains the tsunami of data breaches, despite major investments we are seeing in cyber security.
EA: How hard is it to locate enterprise assets when they are scattered across hybrid cloud systems?
PC: This is the number one problem, as you cannot secure what you do not know, and very few companies know what assets they really have. With a computing environment where complexity and scale are increasing, where almost everything connects with everything else, and where the data is scattered across many different environments, a new architecture is required to continuously identify, catalog and assign attributes to companies’ global IT assets. This is becoming the number one priority.
EA: How important is continuous monitoring in the process of vulnerability management?
PC: It is critical to have an updated inventory of all corporate assets and to continuously identify those out of compliance, either because they have vulnerabilities or misconfigurations that can be exploited, or because they are in violation of internal policies or external regulations. In fact, IT, security and compliance should be brought under a single integrated solution, rather than having three different cyber security solutions that are in fact looking at the same data in three different ways, with no way to correlate the results. As I mentioned earlier, you cannot effectively protect what you do not know.
EA: Will the growing enterprise use of data encryption change the vulnerability management process? Will it be possible for scanning tools, for example, to find and see what they are looking for?
PC: Indeed, encryption is going to become more pervasive as the industry moves toward protecting data both at rest and in transit. As a result, security must be built into the fabric of today’s cloud computing environment, rather than through retrofit security afterwards. This proactive approach can be accomplished by embedding sensors, which we call cloud agents, into every component to identify vulnerabilities and unusual behaviors, while also looking at the computing environment like hackers do by using dynamic and passive scanning. With such an approach, we can look continuously at this new computing environment from both the inside and the outside to detect potential vulnerabilities or malware that could result in breaches and to be able to automate the detection and response to attacks.
EA: Philippe, you’ve had such a broad perspective across the technology and security communities during your career. In your opinion, does the security community face greater challenge from rapid changes in business and IT, or from rapid advances in cyber attacks?
PC: As I have had the opportunity to explain many times to the security community, these rapid changes in both areas that are becoming evident today are just like previous disruptive changes in the history of computing. They present both a unique opportunity and a formidable challenge. Simply said, those who do not embrace the change will be left behind, as nobody can resist the power of creative disruption for long. So, welcome to the cloud-computing era.