In Digital Business, Don’t Sacrifice Security for Speed
Today’s businesses must move at the speed of innovation to remain relevant. That means embracing digital technologies and processes – from cloud computing and software-as-a-service (SaaS) models to DevOps and robotic process automation (RPA) – to help deliver products and services to market faster. But this “need for speed” and shorter feedback loops can introduce a host of new risks.
A survey of cybersecurity professionals conducted at InfoSecurity Europe 2019 underscores this problem. The study shows that 34 percent of organizations have bypassed important security steps in order to get products out to market faster. As a result, a staggering 64 percent believe that their customers could “easily be breached” as a direct result of unpatched vulnerabilities in their organizations’ products and applications. Here’s our take on some of the survey’s key findings, along with some insights from our CISO View panel of Global 1000 CISOs.
Cloud applications abound in digital businesses, but security is low priority. According to the survey, nearly half of the organizations (49 percent) are currently running more than half of their applications in the cloud. Yet many organizations are not prioritizing the protection of the applications that they deploy – or those they depend on to keep business in business.
A recent CyberArk study shows that nearly 70 percent of organizations do not secure business critical applications, such as ERP and CRM systems, any differently than they secure low-value applications or services. As cloud applications proliferate, organizations must take steps to protect what attackers target most: privileged access. This means locking down the powerful human and application-to-application credentials used by SaaS applications and cloud-native applications built using DevOps methodologies to reduce the risk of an attack.
Security and development teams must align; application security must adapt. The vast majority of respondents (92 percent) agreed that having security test products and applications was important. However, 39 percent admitted that security is not involved at the beginning of the application development cycle.
Traditionally, security teams could come in toward the end of the game and put up “gates” to ensure that applications were tested and met various security requirements before being released. But with the dawn of continuous application delivery, these gates are gone. Today, security teams must take the lead in aligning with DevOps teams and DevOps culture. Security teams need to work with development and operations to integrate security into modern processes from the start.
When it comes to application security testing, security teams should work to automate as many application testing and scanning processes as possible and incentivize manual testing efforts through creative initiatives like bug bounty programs. They should also conduct regular Red Team exercises to identify weaknesses that automation may miss. Check out in-depth recommendations for adapting security processes for modern application testing.
Zero Trust can break the cycle of security failure. The InfoSecurity survey shows that 37 percent of organizations have already experienced attacks that could compromise their data and applications in the cloud. According to industry experts, nearly all cyber attacks involve privileged access. As organizations increasingly operate in cloud-first environments, access is not limited to the network and the perimeter is no longer defensible.
This means that security strategies must shift to protecting what’s most important—from within. Zero Trust security models are making this possible. With Zero Trust, organizations trust nothing and verify everything, whether it comes from inside or outside the network perimeter, before granting access. By practicing defense-in-depth and incorporating privileged access security controls at the core of their strategy, organizations can implement a Zero Trust framework that helps to drive down risk while maintaining business velocity.
For example, the CyberArk Global Advanced Threat Landscape 2019 Report revealed that less than half of organizations have a privileged access security strategy in place for DevOps, IoT, RPA and other technologies foundational to digital initiatives. This creates a perfect opportunity for attackers to exploit legitimate privileged access.
No matter the digital transformation strategy, security must be a critical consideration from the beginning. This industry study illustrates the risks of embarking on new digital programs without a solid security foundation in place.
The CISO View report on Protecting Privileged Access in DevOps and Cloud Environments tackles many of these challenges and offers practical guidance for effectively reducing risk in modern environments—from CISOs who have been there. Download the report to learn more.