One of the most critical requirements for IT security is total visibility of the entire IT infrastructure, says Hendrik Johansson, principal – Office of the CISO at Amazon Web Services (AWS).
Delivering an international keynote address at the ITWeb Security Summit 2019 yesterday, he told delegates that it was possible to increase an organisation’s security posture by using the visibility afforded by the cloud.
“Visibility gives on-demand and repeatable insight at a control and evidence level, which is essential not only for security, but also accountability.
“Lack of visibility makes security hard. Lack of visibility can range from not knowing what you have in your infrastructure, to not knowing what is going on within that infrastructure, not knowing where applications are, or not knowing where data is going,” he said.
Visibility, he continued, was also about awareness – not only knowing what you had, but what was being done.
“Without visibility, how would you know that something has happened, how do you keep track of changes – including changes that someone else might have made?”
He questioned whether organisations – including the security team which was responsible for protecting its infrastructure – were aware of just how many ingress points they had into their infrastructure, especially when one took account of obscure IOT devices, employees’ mobile phones, printers and the like.
Visibility – and thus security – was also about seeing the big picture: knowing how all the microservices and applications in use throughout the organisation fitted together, enabling one to know what was happening at all times and so being able to identify when things don’t happen, or are not happening as they should.
To ensure an organisation was fully secured, visibility also had to be extended beyond the organisation’s own periphery.
“How often does your security team talk to your operations team, or your development team to ensure you are all on the same page?” he asked.
Then there were other questions that anyone concerned with an organisation’s IT security and governance had to ask:
- What data do I have in the cloud?
- Where is it located?
- Where does my sensitive data exist?
- What’s sensitive about the data?
- What PII/PHI is possibly exposed?
- How is data being shared and stored?
- How and where is my data accessed?
- How can I classify data in near-real time?
- How do I build workflow remediation for my security?
Everyone in the organisation, including those involved in operations, applications security, engineering, compliance and development, all had to know the answers to these questions – or at the very least, where to find the answers – in order to establish the original source of the “truth”.
While all this could be overwhelming, the reality was that in today’s world, with cloud workloads, “you have never had more opportunities to revitalise, optimise and increase your overall security posture,” Johansson said.
He pointed out that all cloud service providers, including AWS, utilised the same standard responsibility to assist their customers secure and protect their data.
While the service provider was responsible for security ‘of’ the cloud – protecting the infrastructure that runs the services offered by the provider, the customer was responsible for security ‘in’ the cloud – its own data and everything else over which they have control. That is why visibility is so important.
“Service providers like AWS will provide tools that will make it easier for you to secure your data. However, doing so remains your responsibility. Regardless of how many tools we create that will tell you when something is wrong, it is your responsibility to fix it,” he concluded.
Share