Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/15/2019
10:00 AM
Lamont Orange
Lamont Orange
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

DevSecOps: The Answer to the Cloud Security Skills Gap

There's a skills and resources gap industrywide, but a DevSecOps approach can go a long way toward closing that gap.

Digital transformation is driving change in every corner of the security industry. Organizations are evolving and expanding into the cloud rapidly, but their security teams and legacy data centers are holding them back. A skills and resources gap exists industrywide, but implementing a DevSecOps approach is key toward bridging that gap. 

DevSecOps, an inherently agile and nimble approach to security, is well suited for a more cloud-enabled future. Bringing together formerly isolated teams under one function allows security to be built in throughout the development process, also known as security by design, meaning that security can be more than an afterthought at the beginning and the end. 

But DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps. Before you change your direction, you first need to address the issues with your current posture, understand the capacity of your current security teams, and find a guiding principle to drive your development. Here's where to start.

New Solution, Same Old Mistakes
Faced with the evolving threats brought on by digital transformation, organizations need to be aware of their existing postures and shortcomings in protecting their data.

This means asking questions about how you can improve your security posture in the cloud and rethink your best practices, finding the elements that are most germane to your organization. Instead of using the monolithic code that lived inside your data center, you have to architect your infrastructure from the beginning to continuously monitor based around these principles.

Because of digital transformation, your security posture will change and your best practices will need to be tweaked. Having a DevOps team that is questioning the past, and improving your security posture throughout this iterative transformation will pay off as your organization continues to scale.

Cloud-enabled security is meant to be iterative. It's a foregone conclusion that you're going to have incidents, but a DevSecOps team that is constantly iterating can catch them faster and fix issues as they come up. The security exists throughout the process, not just at the endpoints. This is the goal.

After solving this problem, you then need to make sure you have the right team for the job.

Mind the Skills Gap
I've talked with many organizations that tell me they've been doing DevOps for a long time, but that's often not entirely true. Sure, they have people monitoring their data centers, making sure the lights on the boxes are still blinking, but they aren't actually digitally transforming that team. As security moves into the cloud, that team is going to be responsible for rebuilding that infrastructure in the cloud, and if security isn't a part of the conversations around this infrastructure, organizations are missing a huge opportunity.

When organizations decide they want to do DevSecOps, they turn to a team, be it development, operations, or security, and tell them they need to get on board with transforming, often without the proper skills, resources, or guidelines. You need to know your DevOps teams' comfort level with security, and around digital transformation. For example, if they don't know about serverless infrastructure, beyond the obvious, then you're in for trouble.

Expecting a team to exclusively learn on the fly is basing a strategy on hope, which is always doomed to fail. Instead, take your spare moments and offer your DevSecOps team opportunities to learn from their blind spots, whether with additional certifications or shadowing. It doesn't have to be perfect, but every bit helps. This way, they are constantly getting better and modernizing, improving themselves as they improve your security infrastructure. 

Find the North Star 
DevSecOps can only help solve for issues if you have a guiding principle, or north star, for what you're trying to accomplish.  Doing this means making sure you know how you're implementing and improving your security posture in the cloud.

It's important to factor in security as you go, and embody visibility and contextual application of controls. For a long time, security teams pushed for access within the enterprise perimeter, but the transition to cloud computing is making all of that access obsolete, clouding their visibility and the effectiveness of how perceived controls will work in the cloud.

DevSecOps is all about consolidating teams to pool resources, better leverage skills, and realize unified goals and perspectives, which are key. And as I noted earlier, this doesn't have to be perfect.  Success with DevSecOps comes with being cloud curious and learning what matters most to your organization. This is an opportunity to take a modernized security stack to the cloud, in addition to business innovation. It's a fresh start to security, forecasting increased visibility and contextual controls applied at scale, all while supporting the agility of the business, all of which makes for a well-defined transformation. The lessons learned are:

  • If you're not transforming your security teams and capabilities, you're falling behind.
  • If you're resting on your existing security capabilities, you're going blind.
  • Context is key, resistance to change is not innovative, and most of your traffic is traversing the Web.

You're going to have bumps along the way, and have to iterate, but each iteration will make your DevSecOps team learn and better prepared for whatever the next threat presents.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."

Lamont Orange has more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as senior manager for the security and technology services practice at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JdwZN
50%
50%
JdwZN,
User Rank: Author
11/22/2019 | 4:02:37 PM
Completely agree!
Lamont -- Great article and I couldn't agree more--DevSecOps goes a long way towards helping with the crushing skills gap. As you said "... DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps." In speaking with organizations, we see that many of them today have between 12 and 15 application security and testing tools in use. And each tool often requires its own separate team for management. This obviously exacerbates constrained resources, and this is where we've seen the benefits of orchestration come in. By eliminating the need to manually evaluate, deploy and manage all of these scanning and testing tools, lean security teams can refocus their effort and skills on projects more critical to the business. In many organizations, we've seen this shift have residual benefits such as empowering a more satisfied, productive workforce and reducing employee churn. Lamont, let me know if you would like to connect live to discuss this further. John Worrall, ZeroNorth
avidan_a
50%
50%
avidan_a,
User Rank: Author
11/17/2019 | 3:32:40 AM
Interesting article
Interesting article
ronaldjeichner
50%
50%
ronaldjeichner,
User Rank: Apprentice
11/17/2019 | 12:24:16 AM
thank pro
thank so much
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Yes, I do have virus protection on my system, now what?
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...