Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/15/2017
03:10 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Should Security Silos Still Stand?

DevSecOps would tear down every functional silo in security. Is that a good thing, or do corporate silos still serve a valuable purpose?

DevSecOps needs a big shake-up. Given IT security's rich heritage, the "security as code" movement is fairly freshly minted. Yet already it is simply not working as well as it should in practice.

The main issue stems from the way that operations, security and development work together. Recent history has taught us that security has taken a fairly tight rein in the three-way group, operating at one end of the DevSecOps continuum. At the other end, development has been frustrated and feels like its wings have been clipped. There needs to be a happy medium in this dynamic.

That's according to PJ Kirner, founder and CTO at Illumio -- considered a unicorn company -- a firm that segments data centers in order to adaptively try and stop security threats. [Editor's Note: A "unicorn company" is a startup company valued at $1 billion or more.] "The DevSecOps shift of control from Ministry of Security, aka 'the department of no,' to the model where the developer can do anything and everything, was an overcorrection," he said. "Next year, we will realize that that this should not be a democratizing movement (where) everyone gets a vote, but rather more of a republic model."

His view is that collaboration and productivity is undermined if security has too heavy a hand, but that the act of de-siloing to encourage constant software development should be done from a safer place.

"What I think is a challenge is that some people really take that to an extreme, and say, 'all these resources and all of these people are completely fungible'," Kirner told SecurityNow. "The level of expertise needed and the respect for the expertise has kind of gotten lost within the organization in the desire to break down the silos."

Organizations are apparently struggling to define exactly when de-siloing makes sense, and where expertise is critical to making projects successful. No one person is a subject matter expert in development, security and operations, so the real skill is being able to make good judgment calls, and not relying on a set-in-stone playbook or a rigid team structure.

It seems like next year will be a busy one for security. Alongside fixes for DevSecOps, Kirner foresees major changes in Personal Identifiable Information (PII) security. Few would disagree this has been an annus horribilis for widespread PII theft that has generated a black cloud on the horizon as people hunker down and hope their details have not gone missing.

There's a good case for reasoning that, in total, the majority of US citizens will have been affected by a combination of big attacks such as Equifax, Deloitte and Sonic Drive-In. It seems inevitable that this black cloud will soon burst, washing away countless identities.

"Our Identity is no longer ours. PII is no longer valid, since so much of it has been exposed in breaches over recent years," he said. He expects that the data stolen to date will be repurposed into another phase of attacks. For example, it could be weaponized to use in attacks on major institutions in the government, healthcare or financial verticals. The main danger here is that, because of the richer identity picture that hackers have been able to build over time, phishing and social engineering attacks -- already remarkably successful -- will become even more difficult to distinguish from the real thing.

"The scary part is that so much data has been lost -- huge pieces of people's lives," said Kirner. "Organizations needs to start taking securing their customers' data much more seriously. We need more agile and adaptive security controls that move at the real pace of the business."

One area of improvement, given that cyber-attacks are rampant, is to move into a damage control mode before an attack happens. Illumio specializes in micro-segmentation of data centers, essentially enabling businesses to containerize and thereby limit or totally isolate an attack before it spreads.

"If someone's building a submarine, and there's only one compartment, there's a breach, the ship sinks, and everyone is killed. But say you build a set of redundant compartments. Then if there's a breach, you close off the affected compartment and corral everyone to the mess hall. Everyone lives."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...