As one surveys the technology landscape to understand what has emerged out of the constant churn of the last decade, two developments, in particular, stand out for enterprise practitioners. First is the matter of advancing complexity, pure and simple. No matter whether one is focused on ensuring properly performant and resilient infrastructure, or preventing data loss, or on enabling vastly quicker software time to market – both especially critical as organizations engage in cloud-focused digital transformation activities – management of IT assets and outcomes have never been a more fraught or complicated affair.
Appreciating this requires looking no further than to the hundreds of cloud-based services offered by today’s providers. Whether considering compute functions, storage, networking, data management, security, or containerization, the array of options before us has never been greater in number nor in potency. Likewise, never have the challenges of managing tech environments effectively been as demanding as they are now. Certainly, IT organizations have never been confronted with such a daunting combination of new technologies to master, or in such a compressed timeframe.
Compounding all of this is the equally significant matter of advancing cyber risk. Cybercrime is nothing new of course. It has been with us in the enterprise for at least a quarter-century now. And yet, as with everything else, here again, the Cloud continues to change everything we once thought we knew. As applications and their workloads move from on-premises to Cloud frameworks, and as operational environments come increasingly to encompass both in varying degrees of hybrid public and private mixes, risk factors have multiplied substantially.
It's no surprise, then, that this dual focus on confronting complexity while ensuring security is top of mind for today’s technology managers. It was also precisely to this set of challenges that Sandy Bird and I turned in our conversation last month as part of ONUG’s ongoing series of webinars in 2020 and ’21 on exploring enterprise cloud governance.
As CTO and Co-founder of Sonrai Security, a cloud-based security services startup that provides enterprises with the means to both understand and address their specific security shortfalls, Sandy has spent a good deal of time and energy – creative, intellectual, and clearly highly productive energy – delving into the multitude of complexities referenced above. Our exchange on the subject of data loss, available here, offers insights not only into the current state of cloud security but a framework for constructing a high efficacy solution set aimed at righting enterprise security profiles.
The heart of the problem, and of the solution, lies not simply at the network’s front door, as old-school perimeter-focused security long asserted, nor simply with the multiple appliances and components that reside beyond, but with something more fundamental – with the very identities of every aspect of an enterprise’s technology stack, of the security profiles we associate with those identities, and with the trust relationships we create between and across these entities. These include everything from the very concrete and tangible and generally straightforward identities we establish for “users and groups,” for example, to the much more involved, cumulative identities that accrue at the intersection of end users, applications, databases, hosting platforms, physical and virtual network entities, and all relationships that bind them together into a functioning whole.
The great challenge is in comprehending precisely that – the entirety of the beast we have created. In many respects, this creation has been highly conscious (“this application must be available to business unit Ω”) but in others, it has been less so; indeed, as applications, hosting platforms, and networks grow and evolve to meet the demands of a global workforce, the consequences of combining new resources with legacy systems, of aggregated and accumulating access, can create unintentional outcomes.
Clearly, understanding the potential security vulnerability of one component, a physical or virtual server, say, equipped with a particular operating system, is typically not in the top tier of our security challenges. This isn’t to say that inadequately patched servers or appliances cannot bring a business to its knees. They can, and do, with alarming frequency. Even now. Rather, it is in getting one’s arms around the sum total of configurations, access privileges, and trust relationships, and more, that comprise an enterprise’s overall security profile where mere mortals fall short. Long gone are the days when a lone network engineer or administrator could map out on a whiteboard the entirety of a Fortune 2000 company’s network, complete with IP address ranges at the router and switch level. The task is now simply too enormous.
And so we have to approach the modern network with both a new mindset and a new toolkit. Using the phraseology now current, the solution is all about observability – understanding in deep detail one’s entire business technology stack – and automation – building an intelligent response framework that moves well beyond the capabilities of the traditional network environment. These are the challenges faced by all modern enterprise technology managers. They are also the challenges that Sandy Bird and Sonrai seek to meet. The conversation we present now can be leveraged to get started in building that higher efficacy, full intelligence cloud security profile that we all need and the data loss prevention we all require.
If you haven’t already, it is indeed time to jump in, as Sandy puts it here, “with both feet in the future.”
To hear the webinar in its entirety, it is available here. Sandy and I review the foundational use of cloud-native security controls in AWS, Azure, GCP, and Kubernetes. We talk about the struggle to determine when and how to use these native security controls, how to manage them consistently, and how and when to modulate these controls to ensure continuous security, governance, and compliance to prevent catastrophic data loss.