Agile security at the speed of business is simply a concept where security is thought of as part of the design from end to end. Otherwise, systems must be patched, updated and modified along with other solutions to piece together a secure environment.
Adding a layer of security is probably the cheaper way to go, at least at first, but having several different appliances that must be managed as one-off point solutions makes the environment overly complex and adds costly overhead. This raises the total cost of ownership and leaves a business dependent on the vendor or vendors that sold the solution. Integration with these appliances that weren’t part of the design from the start will almost certainly leave gaps that bad actors can exploit.
Speed Before Security
It’s safe to say that historically, security has been an afterthought, and the possibility of a security breach and the penalties that would follow have been less of a concern than the possibility of slowing down the business with a strict security protocol.
Security practitioners are faced with the challenging task of making sure every part of the architecture is as safe as possible (reducing risk to an acceptable level) without slowing down the speed and growth necessary for modern businesses. This has been true for the entire digital age with the invention of the internet and how quickly it was adopted as a platform for outreach, sales and marketing. Security was a secondary concern, and the only thing that mattered was getting the business online.
Jump forward to cloud adoption, and even though we know more about cybersecurity threats, it comes down to the fact that businesses are still hosting their data on someone else’s servers and relying heavily on them for security, sometimes to a fault.
For example, in the Department of Defense (DoD) AWS breach, security was only as good as the people implementing it. The DoD had all of the proper systems in place, along with their AWS hosts, but a contractor left the S3 storage publicly accessible, and top-secret data could be downloaded along with the system image that was used for Linux-based virtual machines.
Businesses have always had a defined perimeter of strong outer defenses, but cloud computing, if not designed properly, is flat – allowing for unchecked lateral movement. The threat landscape is ever-changing, and the focus has shifted from keeping the attacker out (which, of course, is still important) to “What do we do and how will we know if they are already in?”
Putting Security First
Bringing security professionals into the business conversation as early as possible will allow them to lay out a plan where the business can grow but also be secure, making sure that all of the proper counter-measures are in place so that as the company’s footprint grows on-premises or in the cloud, the attack surface remains as small as possible.
Privileges need to be minimized, interactive access should be monitored and controlled, and all network traffic should be treated as untrustworthy. Organizations need to adopt a “zero-trust model” and proactively inspect all network traffic to validate the authenticity of user activity.
Securing Your Future
Businesses in any vertical take cybersecurity seriously when forming a company or continuing business planning at the C-Level. It is on the checklist when leadership teams meet to form the business strategy. For companies formed before cybersecurity was a critical necessity, security has been frosted on bit by bit. This can create safety gaps that cybercriminals are looking to exploit. But whether security has been baked in or frosted on, all organizations will benefit from following the steps outlined above.