As IT embraces agile and the enterprise perimeter becomes increasingly porous, security has to roll with the changes and there’s no going back.
In a recent webinar, Securing Agile IT: Common Pitfalls, Best Practices and Surprises, 451 Group senior security analyst Adrian Sanabria emphasized that security in an agile world needs to be seen as secondary layer and not a barrier to getting things done.
IT used to be very closed, he said. “The perimeter was easily definable.” Users and servers were on the same network, and there might be a couple of VLANs. Now mobile devices and laptops leave the corporate network on a regular basis, and increasingly, servers reside in someone else’s data centre, either through a colocation arrangement or because of the cloud. “What’s really challenging is they all exist at the same time,” said Sanabria. “We have to secure it even though we don’t have the thick perimeter.”
And the cloud is more than just virtual servers, he said. It encompasses services, micro-services and APIs too. “Containers are big right now.” With cloud and SaaS becoming a bigger part of the enterprise, there are potentially a plethora of management consoles that need to be monitored.
But all of this change is not necessarily a bad thing, said Sanabria, because some of the lower layers are being removed. “Removing layers from the bottom is actually good for security.” It actually reduces attack surfaces and what security teams has to manage. The management plane remains, however, and services such as Amazon Web Services are targets for ransomware attacks. He said getting access to an enterprise’s AWS can be the equivalent of getting a hold of the keys to a physical data centre.
So while security is less about patching or updating an operating system, you still have to understand where the waterline is, said Sanabria. Many cloud customers don’t understand who is responsible for what. “People and processes are very different in this environment.”
Outside of security, another misconception about is that it’s all about cost efficiencies. “In a lot of cases, it’s more expensive,” said Sanabria, but it allows enterprises do to business differently, more quickly, and security has to keep up. Under old models of IT, security had to spread itself broadly and it was traditionally applied as a bottleneck. “It was a very slow process,” he said. “As defenders, we tended to adapt very slowly while attackers adapted quickly and that put us at a disadvantage.”
Sanabria said it’s not just the newer companies such as the Netflixes of the world that are embracing agile and adjusting security for this new environment, but older, more established companies too, even if means segmenting IT into groups that managed that old and ones that manage the new with a DevOps mindset that’s geared toward supporting business goals.
He said security tools are now being built into the workflow of the organization. “It isn’t the workflow itself.” Security staff are spending less time doing manual activities and looking at the core of security and looking at how it can be less of a bottleneck. “Security can’t impact the delivery schedule.”
In an agile environment, enterprises need to apply due diligence to security tools: What can be automated? What can be integrated and done outside of security? What labour is necessary to get value out of a tool? Sanabria said security is no longer about long deep scans and generating spreadsheets to be analyzed. Instead, APIs can be quickly queried and tools are focused on efficiency and value. Once businesses embrace agile, there’s no going back.
“Be prepared for all of your processes to change.”