One might consider the firewall the most significant invention in cybersecurity in the last 30 years. The firewall has certainly evolved since its inception in 1988 as simple packet filters, launching with stateful filters, then upgrading to its third-generation application layer firewall and more recently upgrading again to the next-generation firewall (NGFW).
While NGFW is certainly part of the cybersecurity stack, NGFW is no longer revolutionizing the way we protect our critical business assets.
Today’s cybersecurity strategies have been disrupted by two new models: the Zero Trust model and DevSecOps.
Zero Trust Model
The Zero Trust network or Zero Trust architecture model was created in 2010 by John Kindervag. This concept completely flips the way we approach cybersecurity. Past models used the concept of a perimeter and whitelisting; however, with the move to the cloud, mobile devices and internet of things (IoT), the perimeter concept is officially dead.
One of the first companies to significantly shift its cybersecurity architecture was Google with the creation of BeyondCorp. The release of BeyondCorp was quickly followed by the Cloud Security Alliance’s creation of a new standard called Software Defined Perimeter (SDP) in 2013.
SDP solves several of the biggest challenges organizations face today, such as patch management, endpoint protection, enforcing multifactor authentication and the principles of “need to know” and “least privilege.”
SDP grants access to systems based on granular role-based rules all while verifying the device’s state, including antivirus/malware and operation system fingerprinting, among other requirements before granting access.
SDP allows you to protect all of your systems, including mobile, cloud and legacy while ensuring every device enforces strong authentication through supported multifactor authentication options and only connects the device to the system if it is not infected.
For example, if a device does not have the latest software patches and the user is currently working remotely, access might be denied for critical systems but allowed for less critical systems. The user could also be asked for an additional factor authorization.
Additionally, SDP uses a mutual single packet authorization (SPA) and transport layer security (TLS) protocol, making it more secure and lightweight than the traditional VPN. Overall, SDP brings significant long-term cost savings by replacing outdated VPN solutions.
The end result allows employees to work securely from any location without the need for a costly, traditional VPN.
According to Gartner, “By 2016, DevOps will evolve from a niche to a mainstream strategy employed by 25% of Global 2000 organizations.”
Implementing DevOps allows organizations to get more done. DevOps promotes teamwork by eliminating silos and encouraging collaboration. Teams that adopt the DevOps model are able to increase lead time, create new features at a faster pace, all while driving innovation and increasing employee engagement and communication. In turn, they are making applications more secure and stable.
When leveraging DevOps and implementing continuous integration and continuous delivery (CI/CD), organizations can see a tremendous improvement in deployment frequency, lead time, detection of cybersecurity vulnerabilities and flaws, mean time to repair and mean time to recovery.
But with security and compliance remaining top priorities, DevOps is not good enough. The next generation integrates compliance and security into the DevOps life cycle, creating DevSecOps.
Deploying the DevSecOps technology stack isn’t simple. It requires a carefully integrated set of solutions to successfully implement the DevSecOps culture without creating bottlenecks or security gaps.
Additionally, the number of solutions to adopt to bring a CI/CD stack to life can be staggering.
To plan, develop, build your code, store artifacts, test your code, secure your code and containers, deploy, operate, monitor and finally, to scale your deployments on your favorite cloud, the complete DevSecOps stack requires at least eight solution components. Sometimes, there are multiple off-the-shelf solutions per component, not to mention the CI/CD orchestration tool that is required to make all this happen.
The security stack alone requires static and dynamic source code analysis, pen-testing, vulnerability management, container security, container management solutions and more.
One of the biggest challenges for any organization looking to implement DevSecOps is the lack of talent trained to build and manage this kind of sophisticated technology stack. Finding a DevOps engineer is becoming as hard as getting a man to Mars.
While a few U.S. universities are finally creating dedicated courses tailored to DevOps, many training options are oversimplified workshops or basic certifications. There is a real need for innovation and disruption in the information technology (IT) education field that incorporates a continuous learning model more aligned with the pace of this market.
Cybersecurity is seeing rapid innovation and dramatic shifts in how we address enterprise security. Organizations that do not keep up with these changes will face serious business risks. How is your IT team responding to these disruptions?