Few would try to argue that cloud computing, DevOps, and mobile computing aren’t having a profound impact on IT and how enterprises secure their environments and data. But you just wait for what is in store for the decade ahead. In his Friday morning keynote, Securosis president and principal analyst Mike Rothman will discuss how these technologies and movements will change information security and how security professionals do their jobs for years to come.
Prior to Securosis, Mike founded boutique consultancy Security Incite, was the first network security analyst at META Group and held executive positions at numerous security companies. We caught up with Mike shortly before his keynote to get a sense of his talk during the show.
George: You are kicking off QSC on Friday morning with your keynote: Inflection: Security’s Next 10 Years, which will cover how cloud computing, DevOps, and mobility are creating a moment of enormous change in information security. It looks like a very interesting talk from you, as always. But I have to admit that 10 years strikes me as quite a long time, an ambitious amount of time to look out upon.
Mike: It is. Ten years is a bit of a long perspective. The problem is, because the world is a big place, a lot of the trends that we’re starting to see now don’t really come to fruition for three to five, maybe even seven years. And then you’ve got, obviously, the ripple effect of how that’s going to impact how you protect some of your information. How do you deal with a lot of the architectural disruptions?
The main focus of the talk is to get a handle on what this whole cloud computing evolution and architectural disruption means from a security standpoint. I think it’s really under-appreciated, in terms of how different the world is going to be operationally.
Obviously you do a lot of work in the DevOps and continuous deployment world, looking at it from a security standpoint. And I still think, even those folks who are kind of doing it, the true opportunity for just widespread disruption, in terms of how operations happen is there. It’s really going to impact everything we know about how you protect your information.
George: I imagine this will have a significant impact on how information security departments look in a few years.
Mike: A lot of security people are going to have to give up on their empire. Because there’s no empire when everything happens as a set of templates and as continuous deployment. There’s no empire when you knock down instances, and you spin them back up every hour. How will you do configuration management, which is the bane of most operational folks, and a huge area of attack surface? You may not have to do that any more. Instead you’re locking down your images on the instances, and you don’t have drift because you don’t let these things live long enough to drift.
You have all those trends (cloud, mobile, DevOps) that are coming together, that really mean we’re going to have to get a lot better at things like setting policies. We’re going to have to get a lot better about instrumenting some of the higher-level aspects of the infrastructure to make sure that we’re in a place that you can really enforce a lot of the controls that are going to be required. This is because your data can pretty much be anywhere. And your compute can pretty much be anywhere. As your visualization and your presentation can be sent to any device, on any network, at any time.
These are fundamental changes driven by, obviously, cloud architecture and mobility from a consumption standpoint. And it really is going to fundamentally shift how security has to happen. Believe me, we don’t have great answers right now. But we’re getting pretty close to knowing what questions you’ve got to be able to ask, what thoughts you have to be able to understand in order to start to get your arms around what this transformation is going to be.
George: I’m still wondering how is this going to change basic things like operations. What does it mean to be in operations any more? What does it mean to be a dev in some organizations, when you’re both, essentially, doing each other’s jobs?
Mike: Yes, I think the tools, and the structures, and the workflows of how a lot of those processes look, fundamentally change. And I’m not going to say there isn’t going to be a role for highly skilled folks who understand how to make these devices and the controls work. I just think that as the world becomes a lot more policy-centric, the folks who understand the policies are going to be able to write their own tickets.
George: What does all of this mean to security practitioners? What kind of mindset should they have toward their career during the next couple of years? It sounds like there’s going to be shifting tides ahead when it comes to skills the market demands.
Mike: With disruption comes opportunity. With fundamental architectural changes, there will be disruption. So if you’re married to the way you’ve always done stuff, then it’s going to be a hard couple of years for you. If you’re open, if you’re adaptable, and I guess the best advice I can give folks is don’t go into this new wave of computing with assumptions about how stuff has to happen.
Some things will happen out on the cloud. Some things will still need to happen within your own internal environment. Somebody’s going to have to have visibility across all these different aspects of your environment. Somebody is going to need to accept the responsibility and the accountability to protect corporate data, even as it kind of scatters to the wind.
Where folks will get hurt is if they assume that the way they’ve always done stuff is the way they’re going to keep doing stuff. That is just not going to be the way things shake out.