Augmenting Cybersecurity in Healthcare Industry
Security Solutions for Cyber Risk Mitigation
The Tao of Cyber Security in today's reality
Preventing Cyber-Attacks in Universities with Operational...
Thank you for Subscribing to CIO Applications Weekly Brief
Cloud It With A Chance Of Meatballs?
By Jeff Wright, VP & CISO, Allstate
One point of view might be to worry about what this means to a corporation’s information security profile. It would not be incorrect to consider how the speed, with which applications are being developed or the infrastructure is hosting these applications is impacting the overall security posture of the company. Alternatively, you might think that with the likes of IBM, Microsoft, and Amazon offering robust enterprise-class cloud services that they have first-hand experience dealing with most sophisticated threat actors, and have developed cutting-edge security solutions to bolster your legacy in-house security controls, positioning you a step ahead of those that seek to do you harm.
In the application development space, companies have modified their Software Development Lifecycle (SDLC) to incorporate code scanning tools that evaluate source code for vulnerabilities. Most have also embraced the practice of performing penetration tests against their applications to identify vulnerabilities before the hackers can exploit them. But how do you scale services like these when code is being developed and deployed multiple times a week as is often the case with the more extreme versions of Agile and XP?
The answers to these and other challenges may lie in a rigorous adoption of standards and the development of patterns to which they are applied. Take for example the Payment Card Industry’s Data Security Standards (PCI DSS); these standards place a high value on preserving the sanctity of payment card information. Countless applications and technology environments have undergone massive re-designs in order to protect the confidentiality of card information from the point at which it’s received from the customer through completion of the transaction. Applications have been dissected and re-written, databases divided–virtually and physically, pallets of new infrastructure have been integrated in our data centers, and let us not forget about the levels of encryption and tokenization, all in order to enable the safe acquisition and processing of payment card data. Now consider applying this same level of engineering discipline to your complex core business application and you begin to appreciate how a data-centric view of your environment will be critical to the successful adoption of cloud technology.
Relentless adherence to industry standards for technology and development practices, allows for the creation and re-use of patterns in your environment, very much like what has been done with PCI. These standards-based patterns can then be leveraged by architectures that may be on premise, in the cloud or a hybrid of both.
When security, as viewed from the data element or entitlement level is a principle of these patterns, it becomes part of the DNA of an organization’s technology environment, enabling in many ways for security to match the speed with which business-driven technology solutions are developed in an Agile, cloud based world.
The ingenuity required to achieve this and the integration with key business drivers, if executed properly presents a unique opportunity to re-establish your security footing, ensure more scalable and resilient computing capabilities, and perhaps get a step ahead of a threat landscape that is constantly evolving and always moving