Hybrid cloud infrastructure brings competitive and strategic advantages, but also potential security breaches that legacy security just can’t match. Learn more about the advantages of the hybrid cloud, and how to protect your data with automated and application-centric security practices when you catch up on this VB Live event!
“I can understand why some people ask at a category level, Why are we still talking about security?'” says Demetrius Comes, vice president of engineering at GoDaddy. Many wonder, ‘Shouldn’t we have solved this problem already?'”
He goes on to say, “The issue is that the risks and vulnerabilities keep changing with every new advancement we make in technology, and every time we bring new customers onto any product or platform that we build. Customers constantly demand simpler systems to use, which means we’re building more complex systems to make complex problems simpler to deal with. We’re gathering more data. The technology we use to build those applications is getting more complicated, or at least changing from one year to the next, which means securing it has to change at the same time. And while the tools are getting better, the technology is changing, which means everyone has to keep up with a broader base of technology to understand how to secure and how to move forward from there.”
“The challenge has always been there,” adds Neil Ashworth, security solutions architect at Nutanix. And it’s growing. Ashworth points out the significant vulnerabilities or exploits happening in 2017, including the Experian leak, where we saw more than 140 million Social Security numbers released into the wild. In 2018, the same types of vulnerabilities were being exploited with Marriott. Publicly it was an unauthorized access to the data center, but potentially it meant that more than half a billion guest information records were compromised. The Exactis breach, which saw two terabytes of data accidentally relocated to a public domain, potentially released more than 340 million users and business records to be compromised.
And not only that — we’re actually seeing an evolution in the types of security threats we see in the wild, Ashworth says. These exploitative techniques that were historically, say, web injection vulnerabilities, or something we were seeing in Apache and Java, in 2018 evolved to much more sophisticated side channel exploits affecting areas of the data center that were always considered secure.
“This is why it’s always a continuing conversation,” he continues. “Not only are we still seeing similar types of vulnerabilities affecting our systems, causing cataclysmic exposure of data, we’re actually seeing an evolution in the types of vulnerabilities that affect our technology.”
And the underlying motivation can’t be pinned on just one kind of evildoer, Comes points out. Some of them are curious by nature and purely in it for the thrill of the hunt, and others are all about financial gain.
But no matter why or how, from an enterprise or business perspective, it’s significantly detrimental to business, whether it’s harm to the brand from having lost customer data, or actual financial losses or downtime.
“The net of it is, we need to think about security at an enterprise level,” says Mike Wronski, principal marketing manager at Nutanix. “So who owns security? Is it the cloud provider, the enterprise, or the security team?”
“The generally accepted answer, or the politically correct answer, would be that it’s everyone’s responsibility,” Ashworth says. “I believe that’s true to an extent, but with a major caveat.”
Since companies aren’t democratic, but totalitarian in nature, Ashworth believes a top-down approach to security has to be the ideal scenario. Security has to be recognized as intrinsic to the fabric of IT business continuity, rather than an impediment to IT goals. If a strong culture for security exists within a company, you can be assured that security is thought of at all levels, from the end user being able to recognize spam, to good sec ops within the QA process.
“End users, security staff, managers, executives, it begins at the top and comes down,” Ashworth says. “It begins with the culture of the company, I believe. But it’s also everyone’s responsibility, just to make sure that that appropriate security culture exists. That will allow the fostering of a security mindset.”
Comes agrees that it’s a definitely a top-down thing, but we’re entering a stage right now where the power has shifted, and we can get a better hold on security from a development standpoint than we’ve had in the past several years.
“But this is a pendulum thing,” he says. “The evildoers get a hand up and then we get it back and it swings back and forth. But as we move toward DevOps, if we train our development teams more and move toward sec ops, if we take this knowledge we’ve built up on premises in our centralized security teams and our centralized SRE teams, and we distribute that to our development teams, we can start to focus and narrow the attack surfaces for the evildoers.”
But that means we’re asking a lot of these development teams, he adds. As we move them out to a cloud, we tell them we have to move toward a distributed model, and they’re going to have to own their own budget, own their own security, own their own operations of their product now, because we’re moving that away from a centralized model.
“As we do that, we can use those centralized security services to build templates,” Comes explains. “GoDaddy’s partnered with AWS. We use their service catalog and cloud foundation services that allow us to basically will into reality a signed-off template for security fore every team, for their infrastructure, and for their operational readiness of their product going out.”
He explains that the value of that is that these development teams are at least starting from a point where their network is secure, their infrastructure is secure, their basic architecture minimizes the number of attack surfaces, and they don’t need to think about that.
“Now maybe we’ve freed up enough time in any team’s development cycle just to keep the business running, because if we don’t keep the business running then there’s no money to pay the people to actually do all of this stuff we’re talking about,” he adds. “Then we can start automating static security analysis, fuzz testing on every deployment, take the same rigor we’ve built up in unit testing and integration testing and all the TDD type methodologies and layer in security on top of that for every team on every build on every deployment. I think we can start moving in the right direction.”
So it speaks to education for the engineers, but also setting up an environment where if they aren’t fully educated, there are standards and structures around them that will help them get there, he continues.
“Cloud shifts the way we think,” Wronski adds. “Something that should be clear to anyone attending this session is that the same old processes aren’t going to cut it as you move to hybrid multi-cloud or 100 percent cloud. You need to go back and re-architect and rethink everything.”
To dive deep into the security best practices you need to know, from cloud formation templates that help you audit security in the cloud to the lift and shift model, application sprawl, governance, multi-cloud solutions, the issues around public clouds, and even more, catch up now on this VB Live event.
- Why you need a single, fully tested, security-first infrastructure platform
- How to converge storage, computing, and networking
- A full understanding of security best practices
- How to protect against data breaches, unauthorized access, and other threats in a multi-cloud world
- Demetrius Comes, VP of Engineering, GoDaddy
- Mike Wronski, Principal Marketing Manager, Nutanix
- Neil Ashworth, Security Solutions Architect, Nutanix
Sponsored by Nutanix