There are key themes to watch at the RSA 2019 conference, including cloud security best practices and the role of DevSecOps in company modernization.
After years of skepticism about the cloud, it seems the tables may have finally turned.
Longtime security experts not only embrace the cloud today but say that its attributes can teach traditional data center managers a thing or two about security best practices.
That’s a far cry from a decade or so ago, when traditional data centers were viewed as the default paradigm for secure environments while public clouds were eschewed as risky bets. Today, the cloud’s ephemerality is the real benefit for IT security, experts argued at the annual webcast with the RSA Conference advisory board members on Feb. 13.
“If the cloud is truly that ephemeral in nature, are there things we can do to . . . make it harder for the bad guys to get a foothold?” said Kim Jones, a professor at Arizona State University, during the webcast.
The cloud’s state of constant change can benefit on-premises data centers by compelling IT to break down environments regularly. “If I’m setting up and tearing down my environment every 30 days, you’ve limited the opportunity a bad guy has to do bad things. So how can we take advantage of some of the lessons in cloud, and are these lessons transportable back into a data center environment?”
It makes sense for data center managers to take lessons from cloud-based workloads. Indeed, according to the recent Cisco Global Cloud Index, 93% of workloads will run in the cloud by 2020.
Caroline Wong, chief security strategist at Cobalt.io, said that during her years at Zynga, a social video-game developer, she and the security team didn’t recognize the advantages of rapidly changing cloud architecture “until it began to happen,” she recalled.
“We would be keeping track of all these vulnerabilities in these game studios,” Wong said, “and we would have a list of security problems. And then the next week we’d look, and a bunch of them would be gone. The cloud enabled for a major architectural design change to occur in a pretty fast fashion.”
“If you’re following good practice for doing cloud security , it actually forces you to . . . not make any assumptions about what protections might be provided and rely only on what you can deploy to protect that application in that environment,” said Laura Koetzle, vice president and group director at Forrester Research.
Another key security trend in 2019 is the importance of bringing DevSecOps to application development.
DevSecOps integrates automated security tasks within DevOps processes. (DevOps combines development and traditional IT operations teams and brings their work—which has sometimes been at odds—closer together. DevSecOps aligns security efforts with DevOps projects). For advisory board members, DevSecOps is an important aspect of cloud security best practices. It unites team efforts and entrenches a culture of continual testing in a rapidly changing environment.
Companies have adopted DevSecOps with zeal. According to a recent DevSecOps Community Survey 2018, among 2,076 respondents, 73% said that recent data breaches heightened interest in DevSecOps. According to the same survey, though, only about a quarter have “mature” DevSecOps practices integrated.
Advisory board members said that, much like the cloud, DevSecOps is far simpler to introduce to those without legacy practices.
“It’s much easier for an organization to be born into DevSecOps than for an organization with a traditional waterfall methodology to transition,” Wong said.
At the same time, some organizations with legacy practices have used DevSecOps to pave the way to a broader digital transformation.
One global apparel company, in fact, brought all previously outsourced development in-house and simultaneously introduced DevSecOps. As Wong recounted, the company introduced DevSecOps because it recognized the inherent connection between successful digital customer experiences and security.
“They actually think that for their digital experiences to be fun, fast and fair, they first need to be reliable, stable and secure,” Wong said.
Advisory board members also debated how best to get developers integrated into security testing earlier in the process. Wong said that giving developers software security testing tools can create a frustrating experience, where they are flooded with false positives and don’t really know how to remediate their code based on the information anyway.
“I don’t think it’s an effective method,” Wong said. “A developer looks at their day and says, ‘I have items A, B and C to accomplish, and here on the side, the security team wants me to push this button, and when I do I get a whole bunch of results I don’t really understand.’ Whatever security is providing to development teams needs to be accompanied by prioritization guidance,” she emphasized.
Jones said that false positives can create information overload but that software security testing tools are key to bringing development and operations closer together.
“Giving developers access to the tools with proper guidance is a good method to transition from a siloed, waterfall processes to a true DevSecOps environment—where security is part and parcel of everything,” he emphasized.
With proper guidance, the tools can spark conversation. Jones recalled his first role as chief information security officer where developers learned the significance of red, yellow and green security alerts and how to address them.
Once developers were instructed, Jones recalled, they not only embraced security testing but became more engaged because of it.
“Developers were coming back to me and saying, ‘Why aren’t we looking at these yellows too?’ [Developers] became part and parcel of the conversation versus having something done to them.”
For more news from RSA, check out our RSA 2019 conference coverage.
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”