How to Ensure Trust and Security in Enterprise IT and the Cloud
Cloud security risk management should be the same as reducing risk on-premise. Yet more than half of respondents in the recent ActualTech Media MegaCast: Ensuring Trust and Security in Enterprise IT and the Cloud, were not confident that their data is as secure in the cloud as it is on-premise. Businesses are concerned they’ll lose control of their environment, become unable to define and manage their attack surface, and fail to keep up with network management tasks.
Robert Rodriguez, FireMon’s Director of Field Engineering (Connect with Robert on LinkedIn), says that the best path to securing a hybrid environment isn’t some revolutionary idea. “You have to go back to the basics,” he said. “If you’ve been around in this field for a while, you’ve seen what I’m going to talk about. You’ve done it. You know a lot about visibility, threat reduction, and automation. So, if everyone knows about these things, why isn’t everyone doing them?”
Corporate imperatives clash with security realities
“Traditional approaches force you to slow down to stay secure,” said Rodriguez. “That doesn’t work in today’s business environment. Security and network teams should be enablers, not roadblocks.”
But while enterprises demand digital transformation, innovation, hybrid cloud, and time-to-market, security and network teams are stuck with too many policies in too many places, more types of devices, more changes, and too many manual processes exacerbated by – of course – the skills gap.
Rodriquez described a call he’d received from a customer who described themselves as ‘putting the no in innovation.’ The company was trying to move quickly but the security and network departments were causing slowdowns as they tried to ensure changes were made securely. “That’s their job,” said Rodriguez. “And making fast changes in environments that include SD-WAN, SASE, branch offices, the cloud, and other complications is a tall order. But it can be done, and it needs to be done.”
A common obstacle to delivering fast secure changes is staffing. “There aren’t enough of us,” said Rodriguez. “I’ve dealt with hundreds of companies and I’ve never heard anyone say they have enough people and their people are fully trained.” And as new technologies roll out at an ever-increasing pace, the problem is getting worse. “CI/CD, SASE, software-defined everything… we rarely get training on new things. We try to figure them out as we go.” All the while, the pace of business gets faster and the pressure on security and network teams gets more intense.
Is there a light at the end of the tunnel? Rodriguez says yes. “There are three things you can do to reduce risk in your hybrid environments, and none of them are revolutionary. They’re not paradigm-breaking. They are visibility, threat reduction, and automation. Do these today and you’re setting yourself up for an easier and better tomorrow.”
“You can’t secure what you don’t know,” said Rodriguez. “What if I owned some apartment buildings and I told you, ‘Hey, go protect my apartment buildings. I don’t really know where they all are. Talk to Joe, he might know.’ That would make your job really hard. And that’s what we’re dealing with in IT. We’re told to secure every single thing that’s out there but we don’t know what’s out there. And we’re not in charge of everything that’s out there, for example we’re not in charge of the cloud provider or SaaS vendors. But we still need complete visibility into everything that’s in our environment.”
Rodriguez said are a lot of great network scanning and discovery technologies on the market, and the cloud has a lot of native tools that will help businesses understand what’s in their environment. “But what you need,” he specified, “is something that can concatenate everything into one place.” Otherwise, the security and network teams end up clicking between consoles and trying to normalize massive amounts of disparate data, and there’s just no way to do that manually and maintain speed of business – or any degree of reliability or accuracy.
Rodriguez gave some examples of how using an automated discovery tool has helped real organizations. “We worked with a government entity that presumed they had about 150,000 endpoints. They had 170,000 thousand. That’s a 12 percent difference. A finance business thought it had 600,000 endpoints but they actually had twice that many, 1.2M.” These unknown endpoints could be infected with viruses or could have unsanctioned software on them. Their maintenance and security aren’t getting included in budgets.
“Just knowing everything that’s out there is a start,” said Rodriguez. “But you also want to know everything about that box – what software is it running, what it’s connected to, is it in compliance, when does it change, who changed it, are its rules overly permissive, is it allowing known vulnerabilities into the network, and so on. Only when the stragglers are brought into the fold can you manage them properly.”
Complete Visibility in a Nutshell: 5 Attributes
- Real-time visibility and change detection
- Zero blind spots
- No unnecessary access
- Every device on the network is identified and classified
- Every leak path is identified
“Once we have a nice, big inventory of everything in our environment, we want to take a look at the biggest threats and start getting rid of them,” said Rodriguez.
Reactive security is an outdated approach. “Nobody wants to nail the barn door shut after the horse has been stolen,” said Rodriguez. “We want to know what the impact of a change will be before we make it. So, for example, will introducing this new tool expose the environment to new vulnerabilities or break compliance? We want to know that in advance. We want to ensure new access is safe and compliant, and we want to reduce human error.”
5 Steps toward Threat Reduction
- Gain complete visibility
- Assess risk in real-time
- Prioritize vulnerability patching
- Perform real-time compliance checks
- Start knocking out threats
“There’s no way to keep up with changes in a hybrid environment using manual processes,“ said Rodriguez. “They just take too long and are too error-prone. You should be trying to eliminate manual processes entirely.”
Rodriguez said the biggest benefit he’s experienced from using automation in his security career was removing unneeded policies. “Now I don’t have my firewall guy sitting there at 2 a.m. during my dark window on a Saturday trying to poke in 20 different entries with 500 IPs.” No one can be expected to do that type of work and not make mistakes. But a computer can.
Rodriguez says there are two paths to automation. One is just in time automation, which follows the traditional change management process through different phases. “So, for instance, it’s possible to find out if an ACL change will cause new volatility during the design phase.” If it won’t, the change process is allowed to proceed to the next phase. The other approach is total automation, which tells the automation that as long as a change doesn’t break compliance or cause volatility, it’s okay to push it out.
Either approach will free up the highly-skilled people who are currently doing repetitive tasks so they can focus on doing more important and impactful work. Either approach will reduce human error and support compliance by automating configurations. And either approach will optimize efficiency and reduce costs.
4 Ways Automation Helps You Stay Secure
- Keep pace with network changes
- Run what-if scenarios for new access
- Reduce complexity by removing unneeded policies
- Remain compliant with real-time checks at every stage
Basic is Good because Basic Works
Four concrete actions businesses can take to achieving greater visibility, threat reduction, and automation are:
- Buy yourself a good discovery tool to figure out what you have
- Start figuring out where your vulnerabilities are in the network
- Assign a team to attack those vulnerabilities one at a time and you’ll see your threat level going down over time
- And while you’re at it, make some easy changes. Automate things that will give you the greatest benefit for the least amount of effort. This will free up your security team to actually go back into those vulnerabilities to start making your environment more and more secure.
Rodriguez added, “The three steps I’ve talked about today are basic, and basic is good because basic works. If you work on these three things – visibility, threat reduction, and automation – I promise you, you’re going to start having a better and safer tomorrow.”