On Friday of last week, I had the opportunity to participate in a panel discussion at the Boston Cybersecurity Forum, talking about Operationalizing Security in the Cloud. I was joined by a stellar crew from across the industry:
- Greg Dracon – .406 Ventures
- Jamie Finn – Sansa Security
- Aleksandr Yampolskiy – SecurityScorecard
- Sam Bisbee – ThreatStack
- Ryan Nolette – Bit9
Over the course of our hour, we covered a pretty wide range of topics, from the emergent trends in the security space (more automation, the rise of the non-human actor as a threat vector, and the dissolution of the perimeter) to whether anti-virus as an industry is dead (probably not, but the freeware tools are more than good enough; refocus that spend on authz, intrusion detection, and visibility tools).
Some of the more interesting questions that come out of the interactive portion of the discussion had to do with the idea that DevOps infrastructure was changing the rules of the game for IT. As Sam pointed out at one point, the silo of infosec is an outdated model; decisions that are made “on the ground” by developers are generally not filtered through a separate team for most organizations. Although automation and continuous integration platforms have become essential components of most organizations’ product development processes, the challenges around implementing good cybersecurity have not disappeared. What has happened, however, is that they tend to be managed in conjunction with the development of the infrastructure itself — meaning that they can be subject to the same time, expertise, and urgency pressures that any DevOps project experiences.
One thing that all of us on the panel see as a result of this is the increased need for better visibility and control in the space. As increasingly important workloads are being moved to cloud platforms, a new set of best practices is emerging. These engagement rules have less to do with keeping people out and building strong firewalls, and more to do with the creation of situational awareness across the entire environment, often in spite of that environment’s elasticity.
Some of the ideas that we started to outline in reply to our audience were to revamp the underlying infrastructure to build universal identity for both users and non-human actors, implementing technologies and tools to help with identifying anomalous activity, and establishing strong policies for authorization to protect information at the application-level.
In a sense, this is the beginning of a security architecture for the cloud – a topic I’m excited to continue to explore in the coming months.