Security: The foundation for transformation success
Organizations can create extensive and impactful cloud transformation models, but they won't succeed until they lock down one critical element: security.
Think about it. A boat builder can install the most advanced motors, navigation systems, and onboard computers available, but the vessel won't get far if the hull springs a leak. The same goes for today's enterprises. They're building up resources for DevOps, collecting and analyzing data at the edge, and rebalancing applications across platforms. But what happens if this edge-to-cloud environment isn't secure? The transformation takes on water.
Where things stand
Unfortunately, many enterprises are struggling with this critical task. Based on our engagements with customers, we've evaluated enterprise progress in capability in the eight domains making up the HPE Edge to Cloud Adoption Framework.
Security is one of the domain areas organizations are prioritizing, and progress is being made. In fact, security is one of the areas that we see the greatest overall maturity in capability across our engagements, with an average maturity of 2.2 on a scale of 1 to 5, where a score of 3 indicates a cloud-ready organization (see Figure 1).
Figure 1: The Security domain in the HPE Edge to Cloud Adoption Framework
However, the security domain has a number of subcomponents that need to be addressed in order to establish a secure cloud-everywhere operating model, and we see some areas that require attention (see Figure 2).
Figure 2: Organizational maturity in the security domain
This variability makes sense in light of the key structural differences between traditional and cloud-native architectures, which affect how security is implemented. The use of infrastructure as code (IaC), the adoption of DevOps, and the related hyper-automation has fundamentally altered system architectures and, in turn, how they are managed and secured.
While a successful transformation requires contributions from many diverse components, we find that enterprises that successfully implement a cloud operating model across the organization differ from those challenged in three primary areas of security:
- Risk and compliance
- Security controls
These three areas are foundational and critical to the success of other security initiatives. So, while we see progress in the other security capabilities of identity and access control and application security, organizations that pursue these initiatives absent the foundation of the other three domains will face problems. They may, in fact, introduce more risk by providing the illusion that security is stronger than it actually is.
Risk and compliance: Can you monitor, understand, and manage your estate to security standards?
The advent of infrastructure as a code both helps and complicates the job of security experts. Now, both application code and infrastructure components are released using a software pipeline model. This accelerates the software development velocity while it also requires security to adapt to avoid becoming a bottleneck. Adopting IaC and automation within security as well increases the security function's velocity to keep pace.
Automation is what differentiates leaders and laggards, as it allows the security function to gain situational awareness at the scale and velocity of the cloud.
Clients leading in security have deployed an automated logging and monitoring strategy that scales alongside applications and environments. That enables the situational awareness required by the security function. Now, with automation and IaC, organizations have the ability to take those controls and embed them in patterns and processes that get implemented at the beginning of a pipeline—which is the concept of shifting left. Doing so allows them to optimize both for security and velocity.
Leaders are moving beyond traditional compliance models and embracing a concept called continuous compliance. By implementing automation through the technology and process stacks, these organizations ensure that configuration management processes are all tracking to a defined standard. This allows them to have a better understanding of their state of security at any point in time. Leaders have also embraced immutable infrastructure and automated remediation, both enabled by cloud-native architecture, which dramatically cuts down on drift and increases the signal-to-noise ratio to allow their security teams to focus more on threat management or even adopt threat hunting.
For example, a large healthcare client has developed an automated cloud deployment platform that enables and enforces all logging and alerting needed, including pipeline and compliance checks. The system continually monitors the environment after deployment and alerts the application owner, cloud operations, and the security operations center (SOC) of the drift for remediation, thus minimizing distractions and focusing resources on qualified events.
Security controls: Leave the legacy processes behind
With security controls, enterprises are running into problems because they're not adapting to their new environments. While the controls themselves don't change, how they're implemented likely will. They're attempting to use traditional on-premises tools and approaches in a hybrid, cloud-native estate. This doesn't work, and companies that don't appreciate the architectural difference will take more time on their overall transformations and have to spend more.
Take endpoint protection: antivirus, anti-malware, and post-intrusion detection. Traditional platforms that deploy antivirus capabilities as part of the machine build process check in on a periodic basis, typically daily, weekly, or biweekly. In cloud-native environments, when hosts spin up and down in minutes, traditional tools won't even be aware of the threat landscape that changes on a more frequent basis. This same frequency issue often appears with configuration management databases, which are often a foundation for understanding current system inventory and thus key to understanding the threat landscape. This lack of environmental awareness caused by using traditional tools in a hybrid environment is a hallmark of laggards in our engagements.
From a security perspective, the marketplace is providing more tools that make it easier for organizations to manage security in hybrid environments. Ensuring that tooling for configuration management, logging and monitoring, encryption, and threat and vulnerability management supports a hybrid context is an important way for organizations to generate quick wins.
Where we've seen organizations excel in this area, they've adopted hybrid tools that support both traditional and cloud-native environments. They have also adapted their standard operating procedures to leverage the benefits these tools bring across their entire IT ecosystem. Take a cloud-native approach and pull it into your traditional environment to more quickly and more broadly modernize your security capabilities.
For example, a financial services organization had deployed a container image scanning tool at the end of a development pipeline for its cloud environment. Taking a shift-left approach, the organization moved the tool to the beginning of its pipeline across all environments. Doing so drove greater adoption of container image standards across both cloud and traditional environments, accelerated deployment velocity, and enhanced the traditional environment's security posture. The key value driver was simply a change in operating model.
Governance: Have your security and operations teams adapted to your new operating model?
A common issue among organizations struggling to make progress shifting their security capabilities toward a cloud model is in the skills and approach of their security and operations teams.
In a cloud operating model, the same control requirements, control frameworks, and regulatory requirements still exist. But how they're implemented is different. Cloud uses ephemeral resources, different networking constructs, and different concepts of the edge of a network—and that requires different skills to manage the infrastructure.
If a security team understands only classic data center, three-tiered architecture, it's going to struggle in a hybrid environment. It would be like putting a basketball player on a football field; they're playing different games. It's essential to offer security staff upskilling opportunities to help them understand the differences in approach and how to adapt classic security controls accordingly.
Organizations that don't upskill their SOC to ensure they have people who understand cloud-native architectures will entirely miss threats; they simply won't know what to look for. If an organization creates accounts and access rights using IaC, for example, the information sits in a repository that developers have access to as part of a pipeline or process. There's no longer a fortress of security; security elements change regularly using IaC.
The attack vectors to look for have also changed dramatically. Organizations no longer worry about a secure network of devices. That's a classic security approach: to make a really tough perimeter. Now they have to think about a network of secure devices. Every device has to become secure. That's a different, zero-trust-oriented architectural mindset that has to be understood.
The discipline of security is still going to be the same. Organizations still need security experts. Rather than assign cloud experts more responsibility over security, it's better to upskill the security team to understand the hybrid architecture.
Moving forward: Addressing cultural factors and risk objectives
Why are organizations slow to adopt new practices to upgrade their security infrastructures? Usually, it boils down to culture and objectives. It's not unusual to see a wall between a security organization and the rest of the IT organization. That creates a natural tension, inhibiting communication and collaboration. Moreover, a lot of security organizations are resistant to change, even though the need to transform is often most acute in security organizations.
On the objectives side, companies may not be balancing their business objectives with their risk objectives. Leaders need to encourage a holistic assessment of objectives for revenue, business development, and risk so that they can find the right balance of approach to help the business move fast and securely.
Where we see organizations progress in security for cloud operating models, they've taken measured steps to address cultural and goal alignment issues. The organizations are ultimately more effective at putting in place the people, process, and tool changes necessary to deliver modern security across their entire estate.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.