ESG Blogs

The set of announcements at AWS’s annual re:Invent is always impressive, albeit a bit of a firehose for which AWS’s own Amazon Kinesis data streaming processing engine would be helpful. At last week’s AWS re:Invent, a seminal annual IT event only AWS can get away with scheduling the week after Thanksgiving, the company announced a number of important security capabilities, some small, some big, all customer-driven. Thematically, in addition to a clear focus on identity and access management features designed to help customers rein in their AWS identities and secure S3 buckets, AWS is clearly focused on enabling enterprise-class use cases.

There was a lot to take in at Black Hat 2019 in Las Vegas. Fortunately, ESG covered a lot of ground with our expanded team of analysts. With the dust now settling from Black Hat 2019, ESG analysts share some takeaways from the event in this ESG On Location Video, including:

Jerry Garcia once said the Grateful Dead is like black licorice—you either love them or hate them. Well, I have finally been able to make a connection between the Dead and cybersecurity as it sure seems to me that “DevSecOps” is the Grateful Dead of cybersecurity—you either love it or hate it.

One of the marketing campaigns that resonated the most with me over the last few years is the messaging behind Trend Micro’s XGen campaign because it aptly captures the challenge cybersecurity teams face: the complexity of securing multiple generations of technology. That is, it’s not just about next-gen. It’s also about protecting the last gen, and whatever comes after next-gen.

After all, while we still have mainframes, tape libraries, and Oracle running on UNIX, appdev teams are leveraging public cloud platforms and a rich set of microservices to rapidly build and deliver applications. Such heterogeneity represents a requirement to secure a diverse set of applications stacks deployed across hybrid, multi-clouds. Palo Alto Networks' stated intention to acquire Twistlock and PureSec, the former for container security, and the latter for serverless security, is a strong move to add cloud-native application security controls to companies' already extensive product portfolio.

In this video blog, ESG’s new principal analyst, Christina Richmond, and I preview what we expect to see at RSA Conference 2019. The scope and scale of RSA Conference continues to grow with adjunct events held by industry organizations such as the Cloud Security Alliance, vendors, and ESG with our own breakfast event. A few of the topics we expect to be front and center at this year’s RSA Conference include:

As a follow-up to VMworld US in Las Vegas this past August, VMware reiterated its compelling albeit ambitious strategy at VMworld Europe in Barcelona. From my perspective, that strategy is well aligned with the flexibility today’s enterprises require – the ability to run any app on any cloud accessed from any device with intrinsic security. This is the true essence of hybrid clouds for which VMware has a comprehensive definition – private cloud, public clouds, as well as Telco clouds – and a plan to offer a hybrid cloud control plane with equally flexible delivery options.

As a cybersecurity industry analyst, I am admittedly guilty of being myopic in looking for security to be the leading act in the keynote at major industry events. Such was the case at AWS re:Invents of the past when security was front and center starting with a discussion about the shared responsibility security model, the foundation of any cloud security program. That started to change in the last few years with security playing more of a supporting role in Andy Jassy's and Werner Vogels' keynotes. To be clear - it’s not that AWS is now being dismissive of security by any stretch, it’s simply that security is no longer an impediment to the adoption of public cloud platforms, at least those operated and secured by major CPS such as AWS, who has always treated security as job #1. AWS no longer needs to convince the market the cloud is secure, the conversation is now about how to meet your part of the shared responsibility model.

Integrating, and thus automating, security via the continuous integration and delivery (CI/CD) processes of DevOps, an approach referred to as “DevSecOps,” is a topic that had, until somewhat recently, been discussed largely only at DevOps and cloud-specific forums and events. But DevSecOps is coming of age. The ongoing adoption of DevOps by enterprise organizations, and the growing interest in bringing security along for the ride, is getting the topic a bigger stage, with DevSecOps being presented in sessions at more mainstream events such as RSA Conference, the CISO Summit at Black Hat, and VMworld. The adoption of application containers and the Kubernetes environment that orchestrates their lifecycle across the build-ship-run continuum has also been a catalyst for CI/CD integrated security. Because DevSecOps starts with a cultural shift, leverages CI/CD methods, and requires purposeful controls, it is an amorphous concept not only hard to define, but challenging to make actionable.

Amidst the backdrop of a stated intent to relieve cybersecurity point tool fatigue by consolidating vendors, there is a lot of discussion, and confusion, around cybersecurity platforms. We’ve seen this before in both cybersecurity and other IT domains as products become features and products get aggregated into suites delivered on a platform comprised of a set of shared services.

In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018. While respecting the event’s Chatam House Rules that require us to keep CISO comments anonymous, we have a conversation about some of the takeaways from the panels and presentations at the event on central cybersecurity topics including: