MY TAKE: Coping with security risks, compliance issues spun up by ‘digital transformation’

A core security challenge confronts just about every company today.

Related: Can serverless computing plus GitOps lock down DX?

Companies are being compelled to embrace digital transformation, or DX, if for no other reason than the fear of being left behind as competitors leverage microservices, containers and cloud infrastructure to spin-up software innovation at high velocity.

While the benefits of DX are highly-touted, this shift has also spawned a whole new tier of unprecedented privacy and security challenges. On one hand, threat actors have already begun exploiting fresh attack vectors, borne of this rising complexity, and, on the other, government authorities and industry standards bodies are insisting on compliance with increasingly cumbersome data-handling security rules.

I had an evocative discussion at Black Hat USA 2019 with Andy Byron, president of Lacework, a Mountain View, CA-based start-up that has raised $32 million in venture capital to help companies address these conflicting imperatives. For a full drill down, give a listen to the accompanying podcast. Here are my big takeaways:

Sponsorships Available

Sponsorships Available

Sponsorships Available

Tech stack exposures

Companies today routinely rely on software applications written by far-flung third-party developers busily mixing, matching and reusing modular “microservices” and packaging them inside of software “containers.” This all adds up to faster output by software development teams, which, in turn, has given impetus to the rise of  “serverless” cloud infrastructure.

Two types of organizations are doing this, Byron told me. Established enterprises, dragging along their legacy datacenters, recognize this as the once-and- future path for cost savings, agility and speed to market. Meanwhile, next-gen companies, like Netflix, Uber and Airbnb, are proactively racing down this path,  out of the gate.

“People are taking the development, building and management of applications and moving it into a new phenomenon called containers,” Byron says. “The cloud is kind of dragging this movement along and DevOps and security are center stage, at the moment.”

Shifting requirements

One way to understand the security hazards is to think about the radical changes being imposed on the traditional enterprise technology stack. A tech stack is the collection of software and tools companies cobble together to deploy apps, websites and other digital products. A couple of decades ago, when everything was on the company premises, sitting behind a firewall, security teams at least had a fighting chance to stay on top of things.

However, today, companies tweak their tech stacks constantly, updating on-prem and virtualized servers, extending private, public and hybrid cloud systems, and so on. Software updates can  crop up, moment-to-moment; settings and configurations get scrambled continually; access rights get distributed far and wide.

In this milieu, there’s a “large question about the integrity, compliance and security” of the applications that are being developed on the fly, as well as the cloud architecture they reside on, Byron says.

As both the brick-and-mortar stalwarts and the next-gen start-ups increasingly leverage DevOps and place greater reliance on cloud infrastructure,  a common requirement is “ensuring the security of the application, as well as the compliance of the application, within the  infrastructure itself,” he says.

Drumbeat of breaches

Turns out there can be catastrophic outcomes for failing to address security. This has been made clear by a steady drumbeat of breaches and fresh exposures.

For every Capital One massive breach that hits the top of the news cycle, there are dozens of more intricate hacks that never make the headlines. A certain number of them get discussed in cybersecurity circles. And it is reasonable to assume many, many more malicious probes and deep hacks are going undetected.

The Capital One breach demonstrated, yet again, that well-defended enterprises have yet to figure out how to account for all the complexities of moving to the cloud and relying more on DevOps. Consider that it was a misconfigured open-source Web Application Firewall ,  running on Amazon Web Services, that  gave a former Amazon IT staffer a path to crack into this financial services giant.

The FBI arrested a 33-year-old Seattle woman and charged her with pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That included social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Not nearly enough attention is being given to vulnerabilities that are being quietly and intensively exploited. One example is Redis, which stands for Remote Dictionary Server. Redis is an open-source tool that’s been around for several years and has come to be very widely used by app developers as a database, cache, message broker and queue. Security researchers at firewall vendor Imperva recently found that 75% of deployed Redis servers show signs of malware infection.

Redis underscores the pervasiveness of fresh attack vectors in modern tech stacks. “With all these moving pieces, it’s a great time for the adversaries to try to grab as much data as they can out of organizations,” Byron says. “The massive transformation that’s happening right now introduces a lot of risk . . .  it’s almost a perfect storm. It’s a great time for these adversaries to attack, whether it’s a large or small organization.”

Locking down containers

Launched in 2016, Lacework has rolled out a new platform of security services designed to give companies comprehensive compliance, security and configuration support for workloads and accounts running in AWS, Azure, GCP, multicloud, on-premises, and hybrid environments.

Byron

“When somebody wants to move their applications to the cloud, we ensure the account security of the data that resides in the cloud,” Byron says. “We secure the public cloud infrastructure itself, whether it’s Google, Amazon or Microsoft, the three primary ones. And we also secure a lot of hybrid clouds.”

Lacework, Byron told me, is seeking to assist companies, large and small, as they move more of their critical workloads to the cloud. It can help companies identify, analyze, and report on misconfigurations, vulnerabilities, and anomalies in user behaviors and account usage patterns.

A number of other security start-ups, along with a few of the establish security giants, are moving into this arena: striving for more effective security solutions relating to cloud computing and DevOps. The science of identifying and mitigating misconfigurations and other vulnerabilities in cloud-based container infrastructures is moving forward.

This is encouraging. But we’re at the start of a long journey. Talk more soon.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Recent Articles By Author

• MY TAKE: GenAI revolution — the transformative power of ordinary people conversing with AI
• News alert: NTT all photonics network connects data centers in U.S., U.K. at very low latency
• News alert: Simbian launches with $10M to build autonomous, GenAI-powered security platform

More from bacohido

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-coping-with-security-risks-compliance-issues-spun-up-by-digital-transformation/