Tag Archives: processes

DevOps security shifts left, but miles to go to pass hackers

DevOps security processes have matured within enterprises over the last year, but IT shops still have far to go to stem the tide of data breaches.

DevOps teams have built good security habits almost by default as they have increased the frequency of application releases and adopted infrastructure and security automation to improve software development. More frequent, smaller, automated app deployments are less risky and less prone to manual error than large and infrequent ones.

Microservices management and release automation demand tools such as infrastructure as code and configuration management software to manage infrastructure, which similarly cut down on human error. Wrapped up into a streamlined GitOps process, Agile and DevOps techniques automate the path to production while locking down access to it — a win for both security and IT efficiency.

However, the first six months of 2019 saw such a flood of high-profile data breaches that at least one security research firm called it the worst year on record. And while cybersecurity experts aren’t certain how trustworthy that measurement is — there could just be more awareness of breaches than there used to be, or more digital services to attack than in past years — they feel strongly that DevOps security teams still aren’t staying ahead of attackers, who have also learned to automate and optimize what they do.

Adrian Sanabria, advocate at Thinkst Applied ResearchAdrian Sanabria

“The attackers have innovated, and that’s one of the problems with our industry — we’re at least five years behind the attackers,” said Adrian Sanabria, advocate at Thinkst Applied Research, a cybersecurity research and software firm based in South Africa. “We’re in a mode where we’re convinced, with all this VC money and money spent on marketing, that we have to wait for a product to be available to solve these problems … and they’re never going to be ready in time.”

DevOps security tools aren’t enough

A cybersecurity tool is only as good as how it’s used, Sanabria said, citing the example of a Target breach in 2013, where security software detected potentially malicious activity, but IT staff didn’t act on its warnings. In part, this was attributed to alert fatigue, as IT teams increasingly deal with a fire hose of alerts from various monitoring systems. But it also has to do with IT training, Sanabria said.

“In the breach research I’ve done, generally everyone owned [the tools] they needed to own,” he said. “They either didn’t know how to use it, hadn’t set it up correctly, or they had some kind of process issue where the [tools] did try to stop the attacks or warn them of it, [but] they either didn’t see the alert or didn’t act on the alert.”

The attackers have innovated, and that’s one of the problems with our industry — we’re at least five years behind the attackers.
Adrian SanabriaAdvocate, Thinkst Applied Research

DevOps security, or DevSecOps, teams have locked down many of the technical weak points within infrastructure and app deployment processes, but all too often, the initial attack takes a very human form, such as a spoofed email that seems to come from a company executive, directing the recipient to transfer funds to what turns out to be an attacker’s account.

“Often, breaches don’t even require hacking,” Sanabria said. “It requires understanding of financial processes, who’s who in the company and the timing of certain transactions.”

Preventing such attacks requires that employees be equally familiar with that information, Sanabria said. That lack of awareness is driving a surge in ransomware attacks, which rely almost entirely on social engineering to hold vital company data hostage.

Collaboration and strategy vital for DevOps security

Thus, in a world of sophisticated technology, the biggest problems remain human, according to experts — and their solutions are also rooted in organizational dynamics and human collaboration, starting with a more strategic, holistic organizational approach to IT security.

Jeremy Pullen, PolodisJeremy Pullen

“Technology people don’t think of leadership skills and collaboration as primary job functions,” said Jeremy Pullen, CEO of Polodis, a digital transformation consulting firm in Atlanta. “They think the job is day-to-day technical threat remediation, but you can’t scale your organization when you have people trying to do it all themselves.”

An overreliance on individual security experts within enterprises leads to a ‘lamppost effect,’ where those individuals overcompensate for risks they’re familiar with, but undercompensate in areas they don’t understand as well, Pullen said. That kind of team structure also results in the time-honored DevOps bugaboo of siloed responsibilities, which increases security fragility in the same way it dampens application performance and infrastructure resilience.

“Developers and operations may be blind to application security issues, while security tends to focus on physical and infrastructure security, which is most clearly defined in their threat models,” Pullen said. “Then it becomes a bit of a game of Whac-a-Mole … where you’re trying to fix one thing and then another thing pops up, and it gets really noisy.”

Instead, DevSecOps teams must begin to think of themselves and their individual job functions as nodes in a network rather than layers of a stack, Pullen said, and work to understand how the entire organization fits together.

“Everyone’s unclear about what enterprise architecture is,” he said. “They stick Jenkins in the middle of a process but might not understand that they need to separate that environment into different domains and understand governance boundaries.”

Effective DevOps security requires more team practice

Strategically hardening applications and IT management processes to prevent attacks is important, but organizations must also strategically plan — and practice — their response to ongoing security incidents that can and will still happen.

“Cybersecurity so far has been focused on solitary study and being the best technical practitioner you can be, and building stand-alone applications and infrastructure to the best technical standard, which reminds me of golf,” said Nick Drage, principal consultant at Path Dependence Ltd., a cybersecurity consulting firm based in the U.K., in a presentation at DevSecCon in Seattle last month. “But in reality, cybersecurity is a fight with an opponent over territory — much more like American football.”

As long as security is practiced by isolated individuals, it will be as effective as taking the football field armed with golf clubs, Drage said. Instead, the approach should be more team-oriented, cooperative, and, especially, emphasize team practice to prepare for ‘game time.’

This is the future of governance — controlling risk on the human side of our systems.
Charles BetzAnalyst, Forrester Research

American football defenses are particularly instructive for DevOps security strategy ideas about defense in depth, Drage said in his presentation. Among other things, they demonstrate that an initial incursion into a team’s territory — yards gained — does not amount to a breach — points scored. IT teams should also apply that thinking as they try to anticipate and respond to threats — how to protect the ‘end zone,’ so to speak, and not just their half of the field.

Thinkst’s Sanabria uses a different analogy — the DevOps security team as firefighters.

“We’re not going to get good at this if we don’t practice it,” he said. “We buy all the tools, but imagine firefighters if they’d never donned the suits, never driven the truck, never used the hose and they’re not expecting the amount of force and it knocks them down. Going out to their first fire would look like a comedy.”

And yet that’s exactly what happens with many enterprise IT security teams when they must respond to incidents, Sanabria said, in part because companies don’t prioritize experiential learning over informational training.

The good news is that IT analysts expect the next wave of DevOps security to look very much like chaos engineering used in many organizations to improve system resiliency, but with a human twist. Organizations have begun to emerge such as OpenSOC, which sets up training workshops, including simulated ransomware attacks, for companies to practice security incident response. Companies can also do this internally by treating penetration tests as real attacks, otherwise known as red teaming. Free and open source tools such as Infection Monkey from Guardicore Labs also simulate attack scenarios.

Charles Betz, Forrester ResearchCharles Betz

Tech companies such as such as Google already practice their own form of human-based chaos testing, where employees are selected at random for a ‘staycation,’ directed to take a minimum of one hour to answer work emails, or to intentionally give wrong answers to questions, to test the resiliency of the rest of the organization.

“Despite the implications of the word ‘chaos,’ some companies are already presenting chaos engineering to their risk management leaders and auditors,” said Charles Betz, analyst at Forrester Research. “This is the future of governance — controlling risk on the human side of our systems.”

Go to Original Article
Author:

Microsoft SharePoint recognized as a Leader in Gartner Magic Quadrant for Content Services Platforms

Content is one of the most critical assets for every organization, embodying its knowledge and processes. How content is created, managed, and shared—and how users collaborate using that content—has gone through a drastic evolution from traditional enterprise content management (ECM) to dynamic content services.

According to Gartner, “Content services platforms are the next stage of enterprise content management, representing a shift from self-contained systems and repositories to open services.” To truly deliver on the promise of content services, you must balance manageability with ease of use to unlock productivity gains around your critical business information.

SharePoint delivers content services as the foundational content platform for Office 365, with capabilities for creating, sharing, protecting, and reusing information. Going far beyond merely storing documents, SharePoint hosts digital content like pages, videos, images, designs, 3D, medical scans, and markup as well as traditional documents. SharePoint embodies ease of use with ease of management—on any device, for any user, at any location.

These innovations, along with customers’ transition to the cloud and the growing imperative for secure content collaboration and sharing, are driving growth across Microsoft 365, SharePoint, and OneDrive. More than 300,000 organizations now have SharePoint and OneDrive in Office 365, including 85 percent of the Fortune 500. Active users grew over 90 percent, and data stored in SharePoint Online grew over 250 percent in the last year alone.

Gartner has recognized Microsoft as a Leader in the Content Services Platform Magic Quadrant for 2017. In addition to being positioned as one of only three Leaders, Microsoft is placed highest for Ability to Execute.

Image of the Gartner Magic Quadrant shows Microsoft as a Leader in Content Services for 2017.

We feel this placement is a further indication of our commitment to our customers, recognizing that Microsoft provides leading content services capabilities, including:

  • Simplicity—SharePoint is quick and fast to set up, with a simple and clean user interface paired with easy but powerful management.
  • Content services across Office 365—SharePoint has also become the content services layer that powers content collaboration across Office 365. So, now whether you are co-authoring in Office apps, emailing cloud attachments in Outlook, or collaborating with your team in the new chat-based workspace, Microsoft Teams—SharePoint provides a consistent set of experiences across the applications, along with the security and control that’s important to IT.
  • Support for a broad range of file types—In addition to Office files, SharePoint can store any file and now supports viewing of over 270 file types, including Adobe Photoshop (PSD), Illustrator (AI), Acrobat (PDF), as well as video, 3D formats, and DICOM images.
  • Personalized search and intelligence—Search is smarter, faster, and easier for you to find and filter results that include all SharePoint content, including files, sites, people, and now news and list items. SharePoint even indexes objects, text, and handwriting inside other images.
  • Scalability—SharePoint supports customers ranging in size from small businesses to organizations with hundreds of thousands of users and has a maximum tenant capacity of 30 trillion documents.
  • Security and IT confidence—SharePoint leverages Microsoft security capabilities such as Advanced Data Governance for Retention and Records Management, Data Loss Prevention (DLP), eDiscovery, and Customer Key with consistent controls across Office 365.
  • Deployment flexibility—Customers can choose their deployment model—cloud, hybrid, or on-premises—and leverage no-cost Microsoft FastTrack deployment, adoption, and migration services.
  • Cloud leadership and compliance—With 100+ global datacenters and Microsoft’s global network edge—combined with compliance standards, including ISO 27001, FISMA, and EU Model Clauses—we offer customers trusted enterprise-grade compliance and security.

At Microsoft Ignite last month, we announced an exciting new set of SharePoint innovations that build on this foundation. To learn more about how SharePoint can help you and your organization, visit our website and download our content services white paper. Finally, download your own complimentary copy of the Gartner Content Services Platforms Magic Quadrant.

—Chris McNulty, senior product marketing manager for the SharePoint team

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.