Government guidance is helping CISOs impose controls on DevOps' cloud flexibility

Security staff must engage the business to bake security into cloud architectures, expert warns

The Australian government's progressive attitude towards cybersecurity policy has helped it join financial-services giants at the forefront of a booming information-security industry, the president of network-scanning giant Tenable Network Security has said in noting that the company's Australian operations continue to lead the Asia-Pacific market.

Australia is “our strongest market by far”, president and chief operating officer Jack Huffard recently told CSO Australia, with nearly a quarter of the company's Asia-Pacific staff based here and government and financial-services companies proving to be “pretty progressive” in formalising policy and technological protections against cybersecurity intrusions.

A key part of those protections was focused on finding ways to help tighten controls over DevOps capabilities that now allow enterprise environments to be grown and shrunk with a few clicks. This capability, Huffard said, needs to be constrained both with policies around deployment and management of new resources, and the ability to extend monitoring into virtualised workloads both on premises and in the cloud. “We're doing a lot of significant R&D to invest in the ability to secure the DevOps world,” Huffard said.

“We want to help CISOs understand that as they move their organisations to the cloud, they're going to have the ability to make sure that containers, or other things produced in applications, are released in a secure way.” The need for such control is escalating as architectures built around microsegmentation significantly increase organisations' investment in virtualisation technology – which must be tempered with readily manageable and scalable controls to maintain acceptable security levels across rapidly changing enterprise environments.

The key to ensuring this capability is in place comes from integrating security controls into virtual elements as they are created: “The DevOps world is pushing fast,” Huffard said. “They can create an app and push it to AWS and there's no other path it has to go through.” That flexibility empowered DevOps to rapidly produce and deploy “amazing” capabilities but it also put a new burden on security staff: “That's a tough place to be if you're a security guy,” he said.

Security “is not about pausing that [innovation]; it's just about making the development of the applications go through a process that has secure configurations attached to it.” Given that this process is necessarily being positioned as a fundamental part of development in the cloud era – a mandate for security is core to the Digital Transformation Office's (DTO's) Digital Service Standard – government leadership in this area has proven to be a catalyst for research and private-sector thinking about how to formally execute 'secure by design' mandates.

“Government are coming around with these controls that are really well thought out,” Huffard said, “and these are being adopted by enterprises as a strategic way to think about operating their networks.” “Collaboration between research organisations in the governments about what are the right controls to have – and then having senior leadership talking about having something to measure how good and bad they are – is helping people get their arms around the situation.”

Failing to do so will leave businesses' computing infrastructure expanding in all directions without any mechanism to see what's going on in the new components. And that, Huffard warned, is where cracks quickly form. “Cloud networks are giving so much new capability to businesses that we want to make sure they can make the transformation as seamless as possible,” Huffard said. “Hackers live in the space between when you patch, scan, and do anything – which is why we are focused on visibility. We've brought a lot of technology to bear to remove those gaps and make your security posture more real-time. If you can't see it, you can't secure it.”

Tenable has long leaned on government guidance to help keep its products business-relevant, for example building the often-discussed Top Four Australian Signals Directorate (ASD) strategies into its SecurityCenter Continuous View Dashboard. “The cloud is coming in with more velocity than most people think,” Huffard said. “In the last six months our conversations [with customers] have really picked up. At the end of the day, we want CISOs to be able to go to the CEO and say 'yes, we are secure – not only on premises but also in the cloud'.”

“That's going to take some really hard work, and a lot of new technologies and processes; it takes a lot of different types of sensors on the network to give you a true sense of your entire enterprise. But we have innovated around the continuous collection of data, and we will do the same thing for the cloud world.”

Tags cloud securityCISOsAustralian Government Cyber Security StrategyAustralian Governmentcybersecurity policycloud flexibilitysecurity staff

Show Comments