In this ESG360 Video, ESG's Doug Cahill and Mark Peters discuss current issues and trends in the world of Cybersecurity.
Read the related ESG Blog: Talking Cloud Cybersecurity
Announcer: The following is an ESG 360 video.
Mark: IT these days is big and it's complex. Now, much as we're looking at the outcomes of IT and the overall implications of it, a lot of it is still focused down at the individual component and what we at ESG call segment level. So I'm spending some time talking with my colleagues that look after those individual components to try to understand just a little bit about those for those of us who aren't into that expertise quite as deeply and also then to try and tie that back to the bigger themes around IT. So today I'm sitting with Doug Cahill.
Doug: Hi, Mark.
Mark: So Doug, let's start off by...in simple terms for the uninitiated, that'll be me, what do you cover?
Doug: So I cover cloud security, so both cloud infrastructure security and cloud application security, so basically all things cloud services that organizations need to secure, I cover that, as well as endpoint security and data security. So cloud application security is securing SaaS applications, so think Office 365 and salesforce.com and Dropbox, ServiceNow.
So all the applications that are delivered from the cloud as a service, so SaaS applications. It typically means cloud application security brokers is the type of security control that more organizations are now using to secure the sensitive data that's associated with those cloud applications and also to prevent those cloud applications being hijacked by adversaries as a vector via which to introduce threats back into the enterprise.
Doug: So that's cloud apps. And cloud infrastructure is infrastructure as a service. So that's the endpoint applications on a public cloud infrastructure platform, and typically, that requires a workload-centric and API-centric approach to secure those environments.
Mark: Give me an example of a couple of key things going on in your segment right now, could be vendors, could be technologies, could be outside influences. I don't know. But something that, again, someone should be aware of for this area of focus.
Doug: A lot of companies today are software houses. They're doing in-house software development, they have their own app dev teams, and increasingly, those app dev teams are using containers as a way to do rapid application development and iterative application development. That creates some security challenges. So the big challenge is how does security become part of that app dev team without slowing down the process. You know, too often, security has been bolted on.
It's too often seen as a tax and something that's done after the fact. And when I think about continuous integration and continuous development and delivery, so dev-ops, I see an opportunity to integrate security further upstream so that developers are doing things like static code analysis of their source code. We're doing vulnerability scanning in test environments, and then we'll go to production where we're providing and applying preventive controls, access controls, continuous monitoring looking for anomalies.
So it's more of a process where security, for example, and containers. Security should be included in a container registry. You should be scanning your container registries for vulnerabilities and good configurations and every step along the way from build the ship to run, security really ought to be integrated instead of being an after the fact though.
Mark: That's interesting to me because what that says is...I've always thought...perhaps I didn't use the phrase bolted on but you just put ever more padlocks and ever more bags around something so it's secure. Whereas what you're talking about is building it into the application essentially.
Doug: That's it. That's it. Security is all about defense and dept. So you still want belts and suspenders of padlocks and so forth. And we still have a physical perimeter so we still need traditional security controls that secure that perimeter. But we have this sort of a morphis virtual perimeter of workloads and data and end users that are mobile.
Mark: But the good thing...and I'm sorry to talk over you. If we do this right, then I guess the problem with padlocks and all those things, which you still need to some degree, but if you have 20 padlocks on the back of your door, your door isn't very useful any longer, isn't it? And so you can actually...too much security can destroy the very thing you wanted, whereas what you're talking about is, yeah, you still need a padlock but if you can make that door self-secure in other ways, maybe the door can sense who's there. I'm gonna stretch the analogy too far.
Doug: Yeah, no, no, no. What comes to mind when you say that, Mark, is that very often, security is seen as something that will slow us down. So if I'm gonna add more padlocks, this metaphor doesn't work, but my door is gonna be slower versus if you just integrate it, you actually don't slow things down, it just becomes an integral part of how you do modern application development and modern infrastructure management and modern infrastructure security.
Mark: Yeah. Being very pedantic on that analogy, yes, the door didn't slow down, in fact, it still opens at the same speed but you won't get to the opening for ages because you've got all these other processes to go through. I'm interested, and I think you've touched on it, but I'd love your comments on to what extent if we get security right, to what extent can it actually help us do better IT, rather than doing what we've already got better?
Doug: Yeah. So one of the big challenges in cybersecurity that we all are well aware of is the acute shortage of cybersecurity skills. So to do the cybersecurity part of IT better, we've got to realize greater operational efficiencies. So traditionally with security, there's been sort of these competing outcomes. I need to improve the efficacy of detecting and preventing threats. And sometimes that means deploying noisy controls and having really skilled cybersecurity professionals. At the same time, I need to get more operationally efficient because I a more complicated environment to secure with less people.
Now, fortunately, we have new technologies such as machine learning, artificial intelligence, and security automation that's being able to make those previously mutually exclusive outcomes no longer mutually exclusive. So we can improve the effectiveness, the accuracy, really the fidelity, so a higher fidelity of detecting threats without throwing off a bunch of false positives and basically chasing down the rabbit hole over things that are not real security incidents.
And then the ability to automate. So it goes back to the dev-ops comment, being able to automate how we introduce security from our dev environment, our test environment, and production environment but also in a data center or a SOC context, being able to automate on the backend. So as I get security events into my SIM, for example, and I'm using machine learning to perform the analytics, I can then automate action. So those are somethings on the horizon that are really encouraging that we're seeing.
Mark: It's really interesting. I think...and these conversations are fascinating because like most people, I tend to think that security is something that's just applied as an afterthought, and you're saying by doing it as a pre-thought, as a prerequisite, that it's something we can enjoy and it's no longer 27 padlocks on the door so we can actually get better outcomes because we can open the door faster.
Doug: You bet. And one of the key questions is, "That sounds good, but how do I start?" And I think about the dovetail between agile software development and dev-ops. And agile in general as a project management approach where you're defining user stories and as a team, you're prioritizing those user stories for your next sprint, typically a two-week sprint. And on a daily basis, your team gets together and they do a stand-up, your scrum team does a daily stand up.
They talk about progress on those particular user stories, those tasks that they've been assigned. And I think that's where security starts is that the product owners that are responsible for defining user stories need to find security user stories, they need to prioritize for the next sprint. And on a daily basis, that cross-functional team should be talking about security every step of the way. So I think that's the way we really swim it upstream and integrate security.
Mark: All right. Well, Doug, thank you very much. And hopefully, that's interesting for you. Certainly, for me, that security is not an afterthought, it can't be unless you want to... You can still do it but it's gonna be tough and probably have detrimental effects elsewhere. Think about it right at the start.