Should Security Silos Still Stand?

DevSecOps needs a big shake-up. Given IT security's rich heritage, the "security as code" movement is fairly freshly minted. Yet already it is simply not working as well as it should in practice.

The main issue stems from the way that operations, security and development work together. Recent history has taught us that security has taken a fairly tight rein in the three-way group, operating at one end of the DevSecOps continuum. At the other end, development has been frustrated and feels like its wings have been clipped. There needs to be a happy medium in this dynamic.

That's according to PJ Kirner, founder and CTO at Illumio -- considered a unicorn company -- a firm that segments data centers in order to adaptively try and stop security threats. [Editor's Note: A "unicorn company" is a startup company valued at $1 billion or more.] "The DevSecOps shift of control from Ministry of Security, aka 'the department of no,' to the model where the developer can do anything and everything, was an overcorrection," he said. "Next year, we will realize that that this should not be a democratizing movement (where) everyone gets a vote, but rather more of a republic model."

His view is that collaboration and productivity is undermined if security has too heavy a hand, but that the act of de-siloing to encourage constant software development should be done from a safer place.

"What I think is a challenge is that some people really take that to an extreme, and say, 'all these resources and all of these people are completely fungible'," Kirner told SecurityNow. "The level of expertise needed and the respect for the expertise has kind of gotten lost within the organization in the desire to break down the silos."

Organizations are apparently struggling to define exactly when de-siloing makes sense, and where expertise is critical to making projects successful. No one person is a subject matter expert in development, security and operations, so the real skill is being able to make good judgment calls, and not relying on a set-in-stone playbook or a rigid team structure.

It seems like next year will be a busy one for security. Alongside fixes for DevSecOps, Kirner foresees major changes in Personal Identifiable Information (PII) security. Few would disagree this has been an annus horribilis for widespread PII theft that has generated a black cloud on the horizon as people hunker down and hope their details have not gone missing.

There's a good case for reasoning that, in total, the majority of US citizens will have been affected by a combination of big attacks such as Equifax, Deloitte and Sonic Drive-In. It seems inevitable that this black cloud will soon burst, washing away countless identities.

"Our Identity is no longer ours. PII is no longer valid, since so much of it has been exposed in breaches over recent years," he said. He expects that the data stolen to date will be repurposed into another phase of attacks. For example, it could be weaponized to use in attacks on major institutions in the government, healthcare or financial verticals. The main danger here is that, because of the richer identity picture that hackers have been able to build over time, phishing and social engineering attacks -- already remarkably successful -- will become even more difficult to distinguish from the real thing.

"The scary part is that so much data has been lost -- huge pieces of people's lives," said Kirner. "Organizations needs to start taking securing their customers' data much more seriously. We need more agile and adaptive security controls that move at the real pace of the business."

One area of improvement, given that cyber-attacks are rampant, is to move into a damage control mode before an attack happens. Illumio specializes in micro-segmentation of data centers, essentially enabling businesses to containerize and thereby limit or totally isolate an attack before it spreads.

"If someone's building a submarine, and there's only one compartment, there's a breach, the ship sinks, and everyone is killed. But say you build a set of redundant compartments. Then if there's a breach, you close off the affected compartment and corral everyone to the mess hall. Everyone lives."

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now