Securing Applications and their Relationships in the New Normal
Navigating the ’New Normal’
With Shelter in Place rules in effect, I often find myself in an introspective and retrospective mood – asking questions such as, am I applying lessons learned to do better in the organization? Have we effectively adapted to ‘digital’ in daily operations, within products, and for our customers?
The shift to the complete remote workforce paradigm brings a variety of challenges, whether you are a global corporation that needs to maintain business continuity, a healthcare system that needs to meet HIPAA requirements through the surge of the pandemic, or a financial institution with an influx of online users in the past 30 days requiring rapid adjustment to business operations nearly overnight – we are all working through many new (and old!) security concerns. Stemming from our newfound 100 percent digital ecosystem, business impacts range from internal communications with coworkers (Zoom!) to maintaining engaging relationships with customers. We are all struggling to keep up and stay ahead.
I will address these challenges below, and also check out my video Lunch and Learn sessions for a deeper look into adapting to digital in the dispersed workforce.
Going Full Digital comes with Risks
It can be safely assumed that a vast majority of B2C and B2B applications either use open source code or are cloud connected. Furthermore, operational stakeholders split the difference between developers and operators, each typically aligning to product/business line owners and operational/technical leaders. Said another way, developers are business aligned and favor speed whilst operators are technically aligned prioritizing consistency and stability.
This operational and business divide can be observed in recent news. Zoom founder and CEO Eric Yaun, said himself, “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home.” Now, they are all scrambling to fix the vulnerabilities and keep their customers’ data safe.
(Continuous) Application Relationship Management to Safely Deploy Product
To mitigate this risk and ensure B2C and B2B products are safe to deploy, we need to start framing discussions from a common platform – applications and their relationships.
A lifetime ago, as a CISO myself, I had to assert that the operating environment for a given application was completely understood and controlled – i.e. I had to show a full asset inventory, provide evidence of consistent change/configuration management, and that all appropriate security controls were implemented effectively throughout the operating scope of application.
Looking at the current tools landscape, no one single IT or InfoSec platform is capable of ensuring that applications are performant and secure. Furthermore, the commonplace “do more with less” pressure that all CIOs and CISOs have to manage through is even more exaggerated now with current economic conditions, and identifying and implementing a broad portfolio of tools is not a viable option anymore.
The Demands that Stem from Digital
To further complicate the operations processes, working from home and managing distributed operations is a substantial paradigm shift. Up until about 15 years ago, Information Security and Compliance was tightly woven into backbone IT services. IT operated within a static business environment, primarily supporting on-premise ERP, HRMS and CRM typically tied to a self-managed eCommerce platform.
The breadth and the depth of IT operating environments has exponentially grown with the shift towards digital customer experiences. Meaning, B2C experiences have frictionless purchase flows (think Amazon ‘Buy Now’); and, B2B services are expected to be 99.999 percent available (like power and water) while delivering to the increasingly exact needs of their entire customer base.
To meet this demand, many organizations have been compelled to adopt Agile and DevOps practices, fundamentally giving infrastructure and network responsibilities to developers as extensions of code. And as a result, most enterprises have inadvertently exposed themselves to Information Security and Compliance risks. Unfortunately, this is because shared code and software defined services (infrastructure and network) make consistent enforcement of operational and security policies difficult (at best). And with increasingly stringent Privacy and Data Protection regulations (GDPR, CCPA, SWIFT) and consumer and business demand for compliance and security certification (PCI, SOC 2 Type II), we need to do better in the new normal.
With the move to developer centric operations, the standards and means by which operating environments were being presented and managed has completely changed. To cross the developer and operations chasm, mapping application relationships against network topologies is a must. This is because I have consistently used application relationship maps to confirm ‘in-scope’ workloads of an application, quickly followed by evidence collection and the decommissioning/disconnecting of all non-essential connections into the environment.
Moreover, most modern applications are modular to allow for individual features, upgrades, or new releases to be pushed at speed. Utilizing applications as a common frame of reference then, identifying and qualifying technical changes driven by the business, operational resilience can be delivered in concert without sacrificing security or performance.
Understanding what our applications are composed of, where they reside and operate in the cloud, and managing who can access our applications, whether individually or systematically, is the key to doing so.
A lifetime ago, vArmour Application Controller helped me address all of those questions with dependency visualization (between applications, workloads, and services) and policy definition (in AWS security groups and local FWs). And it’s because of that, our motto Relationships Matter resonates with me and all of our customers.
vArmour delivers on that motto by bridging business and technical prioritization through visualizing application relationships and maintaining strong partnerships for business continuity.
vArmour Application Controller foundationally ingests flow logs from host environments – whether virtualized on-premise or public cloud. Provided that visibility, vArmour relationship contexts can be used to enrich asset inventories and streamline operational processes.
We at vArmour also like to say, “Better Together”, and that has proven true in our relationships with our alliance partners Gigamon, Tanium, Tufin and Digital Shadows. Together, we meet core needs of our customers and enable them to do more with less.
Stay tuned for our next blog written by our Senior Vice President of Alliances, Kate Kuehn, for a deeper dive into why we are “Better Together” and use cases within our customer portfolio that demonstrate our strong partnerships and successes.
Join us Wednesday, April 22, for a 30-minute Virtual Lunch and Learn with guest speaker Mark Weatherford, former VP & Global Information Security Strategist at Booking Holdings, to learn the keys to maintaining a bulletproof information security and compliance strategy as we transition to a world of digital customers and distributed operations.