Many security leaders are losing their sense of purpose as development teams increasingly meet security needs using automation and API-based integration with cloud-based security tools, a global cloud-security expert has warned.
The need to redefine security’s role had arisen as new, cloud-based application delivery models embolden development teams, Trend Micro senior vice president and general manager for cloud and data centre security Bill McGee told CSO Australia.
Security teams, in turn, run the risk of compromising increased transformational momentum if their security tools and practices are seen to be impeding application development and deployment.
“When companies are extending to a cloud environment or buying our product for securing public cloud environments,” he explained, “they face the challenge of ensuring that security teams don’t slow down those teams that have moved to the cloud, from delivering business outcomes more quickly than they have in the past.”
“There is a bit of a conflict and, potentially, an identity crisis for security teams in terms of what their purpose is. They have to change their mentality.”
The need for change was flagged in the recent Oracle-KPMG Cloud Threat Report, which found that 93 percent of CISOs are dealing with rogue usage of cloud applications – and that fully 90 percent of CISOs are uncertain about their role in securing a cloud-based software as a service (SaaS) environment.
That confusion had increased due to perceptions that SaaS security could be effectively managed outside of the purview of the security organisation.
Fully 73 percent of respondents to that survey said cloud platforms offer a more secure environment than they can provide on-premises – muddying the value proposition for CISOs that have been wrestling with ways to extend security protections to increasingly autonomous and capable cloud platforms.
The severity of the challenge had surged as increasingly sophisticated development tools, such as Trend Micro’s Deep Security Smart Check, allowed application security to be applied to containers and deployed within the development pipeline alongside – or as part of – cloud-based applications.
Embedding those protections into the cloud platform means “there is no host that the customer needs to worry about anymore,” McGee said, “because the cloud infrastructure vendor is taking care of that host. For organisations deploying applications in that way, it quickly becomes an application security problem.”
That application-security problem meant embedded and cloud-hosted security tools were, in turn, forcing security teams to shift their attention to security and audit policy practice – and to establish relationships with new cloud-operations groups.
“With automation the actual effort to deploy security technology is actually a lot lower than it has been in the past,” McGee explained, noting the value of emerging automation technologies such as runtime application self protection (RASP).
“Application containers are forcing a breakdown of the barrier between security teams and application development teams,” he continued, “and a security team is only going to be successful if they can communicate back to development in ways that development cares about.”
Deciding just how that communication might occur, remains a challenge for CISOs and will vary from one organisation to the next.
Yet many cloud-hungry line of business leaders ultimately relent and bring cloud-based security tools back inhouse, McGee noted – fostering a hybrid strategy that allows security teams to reassert a degree of strategic primacy.
“Many organisations need to be in a position to use different cloud environments for different purposes,” he said. “The cloud has enabled significant sized development teams to deliver very powerful software solutions themselves – and security teams have to change their mentality about what their value is to the organisation.”