Digital transformation – why your whole approach to security has to changeDarron Gibbard, Managing Director EMEA North of Qualys, explains to Information Age why organisations must overhaul their approach to security in order to achieve success in digital transformation.
For companies of all sizes, digital transformation is one of those catch-all terms that describes a multitude of changes taking place. From new companies that are cloud-native and taking advantage of all the flexibility of the cloud, through to traditional businesses that are evolving using technology at scale, digital transformation means a range to things to different people. IDC estimates that spending on digital transformation will reach $1.7 trillion worldwide by the end of 2019 – an increase of 42 per cent compared to 2017.
What’s not up for debate is how much impact digital transformation can have. Companies using their information more effectively are estimated to achieve more than double the profitability of companies that use more traditional approaches. However, in the rush to move over digital, we must all consider how to use the best of our existing skills – particularly around areas like compliance and security.
The challenge for IT – even more moving parts
The move from on-premises IT environments to multiple cloud ecosystems can deliver these new digital services and provide increased value. However, it requires a fundamental shift in IT and security operations. With so many more moving parts – some of which are owned and managed internally, and some of which belong to third parties – more transparency around how security is managed is required. This inspires a higher level of security confidence with IT and developer teams, and this also enables teams to iterate faster too.
The main barriers to securing digital transformation are both functional and cultural. Recently, the number of functional security owners has increased, and each one will typically have their own favourite tools and their own particular processes. In an IT security department, this is acceptable; when there are multiple teams all responsible for their own parts of the IT stack, it becomes overly complex and more fragile. This overabundance of security tools is also made more difficult due to a shortage of skilled cyber security practitioners that can effectively run security and collaborate with other teams too.
>See also: Cyber attacks become number 1 business risk
Getting a clear view of security
For business leaders, the development of digital transformation and the implementation of the European Union’s General Data Protection Regulation (GDPR) both helped to make security a board-level issue. With this level of scrutiny, CEOs have been encouraged to make security a focus point for the future. According to a research study by BT, the majority of CEOs now rate security as ‘very important’ in ‘helping their organisations to achieve digital transformation objectives.’
In order to achieve success in digital transformation, organisations must not only retool themselves but also overhaul their processes so that they are secure by design. New technology philosophies like DevOps and Agile provide the opportunity to build security into the whole lifecycle that exists around IT use. By embedding proper security processes around cloud resources, companies can make their workflows deliver security into the fabric of this new architecture from the start.
Getting this degree of oversight and security in place involves making security goals and objectives clear to everyone, while also enabling those processes to run smoothly and effectively. It involves making security management into more than just a blocker for poor software; instead, it is about making services available quickly within those workflows. This process is termed transparent orchestration.
>See also: How to protect an organisation
Transparent orchestration involves a re-wiring of security to match how this IT infrastructure has been rebuilt. As part of this, security must be automatically provisioned across a complete mix of internal and external networks, spanning everything from legacy data centre IT through to multi-cloud ecosystems and new container-based applications. Ultimately, this approach involves being able to provision security and secure policies for all of these installations without requiring direct human intervention and without needing support for any changes that take place within those IT infrastructures over time.
For cloud and container services, the ability to scale up on demand is a key selling point for digital transformation. Making the orchestration transparent to both the infrastructure teams and to the security department ensures that the right security processes are in sync with changing resources and running at scale.
To achieve this involves working in three ways:
- Deploy Security Transparently
Rather than multiple security monitoring tools running across different sections of IT for specific use cases, IT teams should bring all their security services together into one place. The “single pane of glass” approach has always been lauded for security, but achieving this in practice requires work and consolidation of services where possible.What this approach provides is visibility across all IT assets, whether they are deployed on internal IT infrastructure or across multiple cloud instances, and whether these assets are physical, virtual or temporary services running in the cloud. To do this, security deployments have to be automated and lightweight across physical sensors for data centres, virtual sensors for hypervisors, across cloud-based infrastructure and embedded within all container images.
- Monitor and Collect Data Transparently
IT and security teams need to get up-to-date and tailored views of their security status, fed by telemetry data that can be analysed in near real time. The challenge here is to achieve that analysis without the large processing overhead that conventional monitoring and analytics tools for traditional IT have had in the past. Getting this data should enable teams to predict potential risks, spot vulnerabilities and respond quickly.
- Assign Actions Automatically Based on Best Practices
As the number of infrastructure platforms grows, and as those platforms scale up dynamically, IT and security teams must still automatically detect threats and take action. These actions can themselves be automated based on what best practices exist and how much risk the business can accept.
For example, if IT teams want to prevent devices from being a vector for injecting malware into cloud resources, they must put devices into lockdown, isolation or kiosk mode based on many factors. Detecting an issue that could be exploited is not enough – if it is significant enough to warrant, the assets themselves should be flagged for fixes as quickly as possible. Automating work-around processes while the fix takes place can also help – for cloud and web applications, applying ‘virtual patches’ that stop potential issues can prevent these problems too.
As companies look to digital transformation, so too they must look at security transformation as well. Rather than being gatekeepers and guardians, IT security teams have to provide guidance and best practice to everyone across the business and then ensure that those rules are enforced appropriately. By making security transparent to the whole organisation, digital transformation investments can deliver on their potential.
Darron Gibbard, Managing Director EMEA North, Qualys