The first day of Qualys Security Conference 2018 was a big one. Both CEO Philippe Courtot and Qualys chief product officer Sumedh Thakar detailed the challenges faced by many of today’s enterprises when it comes to the growth of cloud and the complexity of their hybrid environments. And they shared their visions of the road ahead on how enterprises can find ways to effectively manage their cloud environments and digital transformation efforts ahead.
A big theme of the day was how cloud security brings complexity and lack of visibility into modern environments.
Additionally, Qualys VP of engineering Dilip Bachwani provided a look at how the Qualys Cloud Platform is built to scale and perform; Jimmy Graham spoke on obtaining real-time vulnerability management, and attendees learned how to better secure their cloud deployments, containers, and web applications.
No More Chasing Waterfalls
In his lunchtime talk, 451 Research analyst Scott Crawford shared with a packed audience how the good old days (a little over a decade ago) look a lot more simple in retrospect than they did to us at the time. Only we didn’t appreciate it then. Back then we had endpoints, our own data centers, applications and networks to secure. Today, we each still have much of that (even more endpoints) as well as multiple cloud infrastructure services, dozens of software services, containers, virtualization; and the long waterfall software development processes have been replaced by continuous delivery.
Expectedly, as cloud became cheaper and easier to deploy, enterprises began deploying more. The promise was that cloud would help to simplify many aspects of security. With cloud infrastructure services, for instance, the enterprise no longer had to worry about securing that layer of the infrastructure, as they do with their on-premises systems. With cloud software services, enterprises had to concern themselves with even less security management.
Interestingly, cloud hasn’t simplified enterprise security to the extent promised. The reality is that more complexity has arisen. As Crawford pointed out, Jevons Paradox says that as unit cost and ease of access remain low, adoption increases but total costs also increase.
This has certainly been the story with cloud computing. Within most organizations, everyone from individuals to various business units regularly buy cloud services outside the purview of the central IT department, and there’s been no slowdown in sight.
So how do enterprises secure ever growing, sprawling cloud environments?
To Manage Complexity, Build Security In
That’s the exact challenge Cox Automotive faced. Cox Automotive CISO Patty Smith and Tabrez Naqvi, senior manager of security and risk assessment detailed their challenges when it came to moving to cloud and consolidating their on-premises and legacy systems. Smith explained that the company made the decision to shift to a cloud-first strategy. That’s quite a shift for a company with 100s of different applications and approximately 45 data centers. According to Smith, the objective was to consolidate those 45 data centers down to five. “We had a lot of DevOps teams, and a lot of Agile teams. We figured with the size of our company the only way to really get there was to insert security into those processes and go the DevSecOps route,” Smith said.
Naqvi added that would require Cox reinvent the way they manage security. One of the first things they determined, Naqvi said, was that it would be impractical if not impossible to hire enough security engineers to inject into every process throughout the enterprise. Cox Automotive has more than 350 Scrum teams, for instance. “If anyone has tried to hire security engineers over the last few years, they know that that’s an almost impossible task. There’s too few of us, we’re in too high demand,” he said.
The only feasible approach Cox Automotive identified was to shift security deeper into the development and deployment processes within the organization. “The idea is to inject security into the DevOps program with DevSecOps, and create services that can be consumed by our engineering teams,” Naqvi said.
“Hopefully, there will also be a cultural change because we are integrating security into every one of your processes,” Naqvi said.
Crawford would likely agree with the approach. As enterprises find the total cost and complexity of cloud rising, Crawford advised enterprises to develop their own comprehensive strategy and find ways to build security deep into the process, from design, development through deployment and management.
And that’s my biggest takeaway from day one at QSC18: Organizations have to build security in as much as possible, and automate as much as possible if they’re going to succeed at securing complex hybrid environments with continuous delivery pipelines.
Watch all Qualys Security Conference videos.