Even before the pandemic, most organizations were working on executing digital transformation plans. In many cases, this included migrating workloads to new modern architectures such as private, public or hybrid cloud. As the challenges caused by COVID-19 became more acute, these organizations accelerated modernization plans for a variety of practical reasons. In fact, research from McKinsey & Company demonstrated that the pandemic accelerated digital transformation by seven years.
Initially, enterprises aimed to modernize infrastructure and security in parallel. However, once modernization began, infrastructure quickly accelerated and leaped ahead. In many instances, this acceleration was incentivized, making it even harder for security to catch up. For example, during an organization’s modernization project, every application investment could go either on a legacy or a modern (cloud) platform. There’s a budget for both, but in light of the pressure created by the pandemic, building on the legacy platform would take too long. To stick with the accelerated schedule, IT teams might be tempted to move the budget from the legacy to the modern platform to support new application development. This is all well and good — but what about the impact on security?
Bridging the Growing Security Gap
Big picture-wise, rapid modernization means organizations have adopted the cloud faster. The downside is they weren’t ready to bring security along. Modern environments offer many benefits — for instance, for developers. But developers aren’t likely to push security concerns to the front of the queue. For security professionals, the newer modern platform means less familiarity and less understanding of potential risks or threats. Narrowing the security gap means involving and interacting with additional teams and tools, which, while doable, is objectively more difficult.
Today, many organizations that accelerated their modernization plan without a corresponding leap in security modernization face a security controls gap and lack the critical skills required to catch up. To begin closing these gaps in security, controls, compliance and privacy, security professionals will need the cooperation of the cloud architecture team to obtain the privileges required to do what’s necessary.
Adapting Old Security Practices to New Platforms
Organizations face two principal risks from the security gap. The first is a data leak or data breach that can negatively affect an organization for years when you factor in formal investigations and remediations. The other is non-compliance.
To close the security gap after accelerated modernization, an organization must, at a minimum, follow data security practices. From the starting point, when organizations move workloads quickly, they often lose track of where their sensitive data resides. To secure sensitive data, it’s important to have a good data catalog, know where copies are, where snapshots maybe, etc. Organizations must also have access control policies around their sensitive data. They must have audit trails, the ability to run data through forensics if needed, the ability to validate what entitlements are and reduce them and check for vulnerabilities from an attack surface area perspective.
These aren’t new practices; what’s new are the modern environments. Not everybody knows how to apply these practices to the new environments, though, and this skills deficit is contributing to the ongoing security gap.
The Six W’s of Visibility
Compliance mandates are about visibility and security controls. Organizations must create a foundation layer of visibility into the data because it drives everything else. When making visibility the priority, more often than not, organizations will address most of their compliance requirements. Without sufficient visibility, they won’t know where the data is or what’s going on and won’t be able to mitigate security risks effectively.
To establish some level of baseline behavior, you must know the “6 W’s” of your data:
- Who’s accessing it
- What they’re doing with it
- Why they need it
- Where they’re accessing it from
- When they’re accessing it
- Which servers they’re using
Without this information, creating an access control policy is extremely difficult.
Another part of visibility is classification of data. For privacy regulation compliance, organizations must have a consistent and scalable way to discover and catalog sensitive data and make it ready for responding to subject rights requests. Inability to do this could result in consequences due to non-compliance with privacy regulations.
Rapid modernization has been a key factor for organizations looking to accelerate their digital transformation plans. However, the gap between modernization and security can grow increasingly wide if not addressed. Simply put, to avoid the risk of a substantial data breach or fine due to non-compliance, organizations must adopt a culture of visibility towards data and ensure the correct access control measures are in place.