In this blog, we look at how taking a Zero Trust approach to developing and provisioning apps can help to prevent security breaches.
Guest blog from Simon Minton, Global Cyber Security Advisor at Cisco
The security threat of using apps
Sharing meeting notes. Processing customer transactions. Logging expenses. Signing contracts. More and more business processes are getting the app treatment. And that means more and more data is being exposed to potential security threats.
How businesses are using the cloud
To ensure apps deliver on stakeholders’ agility and efficiency expectations, organisations are increasingly using the cloud to provision functionality to users both in the workplace and beyond. Apps aren’t just being provisioned via the cloud; they are being developed in the cloud too – and that introduces another layer of complexity and risk.
Cloud-native development enables organisations to build and update apps quickly. But the speed at which apps evolve can result in security being overlooked – especially as organisations increasingly bring application development back in-house due to its strategic and competitive importance.
Join the DevSecOps revolution
The need to balance security with agility has given rise to a new operating model in the app development world. DevSecOps isn’t just about adopting new processes and tools; it’s about adopting a new mindset in which everyone in the app lifecycle is responsible for security – whether they are a developer, a business stakeholder or a user.
What is DevSecOps?
DevSecOps shifts security from a bolt-on activity late in the process of application development, when much of the architecture has already been defined, to a fundamental part of the design, build and continuous delivery.
In order for DevSecOps principles to take root in an organisation, developers need to be encouraged to take ownership of security, much like they are incentivised to develop metrics around application availability and performance.
Reducing the impact of data breaches when using apps
Most data breaches occur from two interlinking scenarios; an exploitation of either the application itself and/or exploitation of the infrastructure hosting the application. Several recent high profile breaches occurred because of a misconfiguration of the supporting cloud infrastructure. The shared security model adopted by all cloud providers puts the onus on its customers to ensure that cloud services are properly configured.
Ensuring developers and IT security teams work together to proactively remediate misconfigurations in an application or infrastructure can help to reduce the impact from an incident or breach. Data analytics will be increasingly important for both teams when pinpointing application and cloud misconfigurations as well as malicious activity.
Monitoring solutions that leverage machine learning and behavioural modelling can provide visibility of activity not only on the network but also within the development environment and across cloud resources – which can act as an early warning of a potential security breach on an app or within the broader ecosystem.
For example, Cisco Stealthwatch collects and analyses network and cloud telemetry and correlates threat behaviours seen locally within the enterprise with those seen globally to detect anomalies that might be malicious.
To trust or not to trust?
Advanced threat detection solutions can also help to identify policy violations and misconfigured cloud assets that could compromise the future security of an app. But visibility into potential app vulnerabilities needs to go one step further.
With internal and external developers increasingly using internet-based open source elements, such as software libraries, to accelerate time-to-market, apps have become a patchwork of unseen – and often unknown – components. All of which could introduce unexpected risks and dependencies.
Around 80% of an enterprise application is created using open source software libraries downloaded from the internet. Organisations often have very limited understanding of the risks inherent in these libraries or lack the policies needed to remediate known vulnerabilities.
Adopting a Zero Trust approach to app development
By adopting a Zero Trust approach (where everything must be validated before it can be trusted) to app development, organisations will be able to identify potential security flaws much earlier. This will not only save time and money but also avoid reputational damage.
A Zero Trust approach can also be extended beyond the development stage to the entire lifecycle of the app. Users and devices accessing apps also need to be regularly validated to ensure they are not trying to launch an attack or steal data.
By getting smarter about how they provision and develop apps from the cloud, organisations will be able to protect thousands of employees and customers and provide a richer and safer app experience.
After a few silent months away from from philosophical scribbling about market, societal and technology based change, something has caused me to reach again for my pen (“what pen I hear you say”, stay with me on this one).
In the digital age, “do nothing” delivers the worst possible outcome – “nothing”. Does this mean a relentless march forward ideally at “digital” speed is the order of the day – to a degree, yes but not without thought or calibration. Harvard’s, Clayton Christensen formulated a memorable principle in his seminar book the Innovators Dilemma in 1997, “An organization’s capabilities define its disabilities”. Put simply, an organisation should rightly be validated for the actionable elements it delivers over pomp, history or rhetoric.
Surely this is obvious stuff, but changing focus, reinventing successful products or undertaking “blank sheet of paper” style development is time consuming, challenging, provides no guarantee of success and is downright risky. With the result, many crank the handle on the “same old way”, turning the handle faster as competition, market saturation and reducing income signposts the race may be close to being run. But that isn’t the only way, “do nothing” or “do the same something” whilst safe is a sure-fire way of ensuring the only future ahead is one as “yesterday’s great”. As the digital age drives our personal and business lives forward pressing reset on everything safe and known at a speed we can barely consume (much less digest), the winners will be those who manage to maintain a level of effective competitiveness within existing markets whilst guiding existing customers and new prospects to take advantage of adjacent or original innovations that unlock reliable and previous unforeseen benefits.
I was compelled to scribble this post by a recent and potentially market defining strategic announcement from Cisco. As the campus and datacentre network infrastructure market leader by some magnitude, “do nothing” for Cisco could still have some mileage. By using superior purchasing power to develop products at market prices others may struggle to match profitably or via customer loyalty plays to retain and maximise existing advocates, Cisco could continue to maintain a slightly better version of “the good old way”. Or they could flip script with a fundamental reframe of everything known, building on existing legacy value, but enhanced for the future via insight and innovation – that’s what Cisco has done. Cisco DNA (Digital Network Architecture) and SDA (Software Defined Access) is so new in the market, the ink has barely dried but initial observations point to a technical philosophy that will redefine strategic, functional, operational and technology based customer outcomes.
The ability to deliver local and in time wide area secure network connectivity, that self-configures, is rich with relevant user or network insight, is policy drive, self-heals, is adaptive, abstracts complexity, is API open, secure by design, enhanced by automation reads like a CIO wish list to Santa. But this is just a selection of announced initial release functionality inherent within the DNA and SDA footprint from Cisco. It leaves me encouraged, inspired and enthused, not because it signals a one vendor world of customer benefits as that equally delivers the fear of “lock in”, but based on the potential for a vendor and market open platform that will bring together co existing and competing vendors integrated by APIs to deliver an autonomic secure network layer to underpin digital transformation.
Forget dilemmas, it’s time for the “innovation imperative”. As Cisco reinvents itself to guide both customers and the industry forward, the game changes for everyone. Competitors will be compelled to respond fuelled by their own innovation imperative, partners inspired to retool and reskill to service & support the new normal and lastly customers whilst initially confused will soon be engulfed by a wave of excitement that old problems may soon be eliminated by new solutions.
I’m not just a Cisco fan, I’m also seeing mind blowing innovation from the top ten networking & security industry leaders and the next ten UK, San Jose or Israel based emerging technology startups as they paint the new picture for business enabled IT. What a fantastic transformational journey we have ahead as we march towards that spiritual IT milestone date of 2020.
Who knows, as digitisation becomes the DNA of societal and business existence, a flawed something may far outweigh a perfect something. Time to get involved.
Until next time.
Chief Technologist – Computacenter UK, Networking, Security and Collaboration.
The current next big thing, the Internet of Things (IOT) or “Internet of Everything” could easily be relegated to the “hype” or more damningly the “spam” folder of your mental inbox.
It is currently one of the hot topics driving the dialogue of industry analysts & business thought leaders as they strive to unlock the potential of the abundance of digital sensors and IP connected devices now pervasive in the modern world. In enterprise “systems rich” organisations, it’s fairly straightforward to understand the importance of the IP connected elements that underpin both personal and professional activities. However, the Internet of Things ideology captivating the imagination of many embraces the access and use of data from the almost invisible sensor based digital community hidden in virtually every modern, electronic device. They exist in the most diverse places including household devices (alarms, TVs), environmental (weather, planet), government (traffic signals), retail (rfid tags) and even the common SmartPhone. But without rambling “Star Trek” style perspectives, it has proved challenging to showcase IOT use cases with real substance which makes the following example from the non IT community looks very exciting.
A major well known luxury carmaker is leveraging the Internet of Things (IOT) ideology via a real world implementation within forthcoming vehicles. By using on-board wireless and GPS technology, exchanging data in real time with traffic and environmental sensors, cars with traffic light assistance will help the driver to avoid stopping at red lights (thus speeding the journey, increasing safety, reducing fuel, and vehicle wear) by adapting the vehicle speed in relation to real time traffic flows.
The well known car makers approach to leveraging the IOT, is a real world example of the power of connected devices, the Internet of Things (IOT) and a valid use case that delivers commercial and human benefits. For the “Internet of Things” to make sense to us all, emerging examples must deliver personal benefits to drive the end user/customer to seek more and greater IOT benefits in the future (thus making it commercially attractive). Following that track, the Internet of Things will evolve from an urban IT myth to deliver real world human impacting benefits.
Maybe this next big thing could actually be the biggest next thing of all time
Until next time.
It’s been a hectic couple of weeks, mainly as it’s been conference season which involves spending time away (usually in a foreign country), listening to vendor x, y, z, talk about their market perspective, and how their technology fits into the eco system of workplace technology (well, usually they talk about more than just workplace, but it’s what I pay most attention to 🙂 ).
Whilst it’s often perceived as a jolly, the days at such events are ordinarily long, mixed with a combination of vendor key messages, technology insights and details of technology improvements, and vendor meetings where we often talk about what we’ve done the past year with respect to them, and what we all think the opportunity is going to be for the following year.
For those of you internally, you’ll know that we’ve (CC) established ourselves as the leading service provider in the UK around Windows transformation, with our EMEA business equating to worldwide levels of prominence, numbers which frankly leave me very proud of what we’ve achieved over the last 15 years of improving and refining of our extensive service offerings to our customers.
It was actually this traction that lead to Citrix & Cisco asking us (well me) to present at the recent Citrix conference to extol the benefits of how we’ve deployed their integrated technology stacks to our customers, and how we’ve made such traction in a difficult market, (desktop virtualisation). We’re being used as the poster boy (for want of a better description), on how it can be done, and how it’s possible to provide cutting edge desktop transformation services that provide innovate solutions to business problems. Quite a vindication from these key vendors we felt, and why we agreed to do it.
This position in the market is allowing us to starting thinking about the future of workplace services, and for the last 6 months or so, I’ve been working on and considering the next generation of services and technologies, and how they’re going to impact us, our service offerings, and most importantly our customers.
The key vendors in this area are all thinking big, and are thinking cloud enablement (private and public) and this tricky integration and how it can reduce costs and provide better services for modern working environments.
In the next 12-18 months, it will be possible to build a true Desktop as a Service (DaaS) model, that critically will be able to flexible both up and down, and scale appropriately with need, (which the IT industry really can’t do right now). I fully anticipate however, it will probably be another 2-3 years before it’ll really be a viable option for our customer to consider buying and is thus part of our next generation of service development unlikely to gain any traction until after the Windows XP to 7 uplift.
I’m working with these vendors on helping them shape their products, to be more complete service offerings, (as the vendors are notorious on concentrating on technology features and functions over service integration considerations or really thinking about their customers business need and problems), and I’ll share more on these interesting developments in time when it becomes more appropriate to share this insight.
I’m off on Holiday from today for 2 weeks; recharge the batteries before the big push for the remainder of the year. I’ll pick up the blog when I return, as whilst I like technology and my job, even I like to put it down sometimes. 🙂
A quick look at the current popular enterprise networking infrastructure platforms and they all seem to suffer from a similar predicament – almost without exception the functionality is good, reliability levels are high and performance (in relevant terms) delivers against expectations.
The reasons for this rather stable state include a networking journey to date that embraced the pain of interoperability and standardisation many years ago, the common use of high performance off the shelf network processing asics (with a few notable vendor exceptions) and until recently no real need to change the status quo.
After numerous years of highly effective network solution design by the extensively trained and highly talented network engineers, that embraced inherent technology limitations and extracted maximum performance we now have our “good enough” networks. I reiterate that there are many great network engineers that underpin the largest enterprises in the world, make complex networking “just work” and deliver business outcome after outcome – helping in many cases to hide that fact that below the surface all is not as well as it may seem.
But surely, if you were given a blank sheet of paper and networking / security designs were architected with a clean view of the vendor landscape plus tomorrows business outcomes as well as today’s, would you still design yesterdays way? If the business outcomes of today and definitely tomorrow differ from the network usage approach of yesteryear surely good enough can’t still be “good enough”.
A five year old network designed and configured for large volumes of direct connected network servers with one Gigabit interfaces surely won’t be good enough for a densely consolidated converged infrastructure requiring multiple ten Gigabit network interfaces. Equally a multi layer network topology originally configured for hundreds and potentially thousands of physical servers, with multiple physical network interfaces has very different operational and performance characteristics to a distributed switch, hypervisor virtualised network layer.
The stage is set for good enough (or worse) networks to be evolved in line with tomorrow’s application and business requirements. Software defined networks (SDN) underpinned by the open standards aligned with OpenFlow and Openstack protocols and frameworks may in time enable the granular levels of flexibility and capability required to personalise today’s “good enough” general purpose networked infrastructure footprint into outcome specific networked topologies. This blog was set to discuss the well crafted Cisco ONE strategy that leverages the value delivered by OpenFlow and Openstack and clearly positions a customer journey that leverages existing technologies interfaced with the emerging software network footprints and equally the highly innovative HP VAN software aligned network play that leverages IMC and IRF tightly woven into those same open network software foundations, to deliver tangible application aligned networking.
But both of those great stories may now be somewhat pale when compared to VMware shock acquisition of Nicira. Put simply the worlds dominant x86 hypervisor vendor now includes a highly regarded SDN networking core that can be leveraged in numerous and as yet unannounced ways that could potentially paint a new picture for enterprise networking. (save this for another blog).
So “Good enough networks” in the not too distant future may become a thing of the past. Will they ever be “perfect networks”, unlikely due to the ever changing nature of business and increasing levels of complexity, but could they become much closer aligned with the levels of flexibility and adaptability and cost effectiveness currently sought by enteprise network customers. “Quite possibly”…….
And then they will be more than “Good enough”.
Until next time