Carson Sweet, Co-Founder and Chief Technology Officer of CloudPassage, discussed a new security model to address the challenges of security and compliance in a time when IT is accelerating.
Sweet began his thought leadership presentation at the 2017 Chief Information Security Officer Leadership Forum held on April 5 in Atlanta by stating he’d be talking about what happens to security and compliance when things start to accelerate in IT. “The four big problems we find in INFOSEC over the years that are challenging CISOs are 1) the emerging threat landscape, which is getting more complicated, 2) a regulatory environment that’s getting more complex, 3) insufficient people, resources, or money, and 4) accelerating IT.”
Sweet presented a slide containing the various components that make IT agile. “The key thing to keep in mind is that all these components drive more velocity in IT, higher rates of change, and more distributed assets in your environment,” he said.
“We see this manifesting in organizations wanting to modernize their data center; convert traditional manual processes to software defined data centers where infrastructure is programmable, scriptable, and can be automated; and have IT is a service," Sweet observed.
“Delivery automation is huge. It’s about taking deployment times from weeks or months down to days, hours, or even minutes. This is an innovation requirement for industries today. I call this the Apple Effect—the need for companies to continuously innovate to satisfy consumers and other businesses,” said Sweet.
“Delivery automation is huge. It’s about taking deployment times from weeks or months down to days, hours, or even minutes. This is an innovation requirement for industries today.”
“All of these things are great for business, but they create challenges for security. Migrating to Agile is a multiyear process for organizations—five to ten years to go from Mode 1 (legacy) to Mode 2 (Agile). Mode 1 is the traditional, waterfall, risk-management-oriented, slow-moving IT process. Mode 2 is a startup-oriented, fast process that embraces risk. You have to be able to support both.”
“All of these things are great for business, but they create challenges for security. Migrating to Agile is a multiyear process for organizations—five to ten years to go from Mode 1 (legacy) to Mode 2 (Agile).”
Sweet continued, “Mode 1 has specific infrastructure and operational challenges. It was a hardware environment with, maybe, one virtualization stack. It was a fairly straightforward model with firewalls and everything on the inside that was fairly safe. The next step was the move to the private cloud or software defined data center. Now multiple virtualization stacks appear with different capabilities, risk profiles, vulnerability management needs, and access-control needs. When automation tools are added that increase the rate of change, the rate of change inside the data center goes through the roof, and this rate of change generates risk. When public cloud is introduced, this creates an even more complex, distributed, and complicated environment,” he said.
“When automation tools are added that increase the rate of change, the rate of change inside the data center goes through the roof, and this rate of change generates risk. When public cloud is introduced, this creates an even more complex, distributed, and complicated environment.”
“Moving from Mode 1 to Mode 2 also completely changes the application development process. Business units are driving the bus now. IT can’t stand in front of innovation and stop it. Security must evolve to support both of these models. Adoption of Agile IT delivery models makes Agile security an enterprise imperative,” he emphasized.
Gartner and Forrester have identified a new model: cloud workload security, which is:
Fully REST enabled
“Security has to become harmonized with the way that cloud and Agile work. Security deployed at the network level is less valuable because it’s not portable and elastic; security deployed inside the workload (the server) becomes portable. Instead of securing the place, we’re securing the things—wherever they go and however much they multiply,” said Sweet.
“Cloud workload security platforms provide a single location that can handle security, visibility, compliance monitoring, and all the things you need to do. More importantly, it can handle both public IaaS and private cloud/SDDC simultaneously.”
ABOUT CARSON SWEET:
Carson Sweet is Co-Founder and Chief Technology Officer for CloudPassage. As founding CEO, Carson led the team that created Halo, the patented security platform that changes the way enterprises achieve infrastructure protection and compliance. Carson's information security career spans three decades and includes a broad range of entrepreneurial, management, and hands-on technology experience. Carson and his teams have created groundbreaking security solutions across a range of industries and public sectors, with a heavy focus on financial services, federal government, and high-tech. Carson focuses on long-term product, technology, and business strategy as CloudPassage expands market share through existing and emerging cloud security solutions. He also serves as chairman of the CloudPassage board of directors.