It was around 1995 when the MIT Professor Nick Negroponte wrote in his book Being Digital the following prophetic words: “the transformation process from atoms to bits is unavoidable and unstoppable.” Fast forward to today and digital transformation has become one of the main focus points for CIOs and CEOs alike. However, all this change around digital also affects security. The demand for more flexibility and more rapid deployments can easily lead to security risks.
So while the term “digital transformation has become more popular over the past few years, how are security teams responding to the new pressures they are under? And how are they getting ahead of this keep security in place whatever happens to the business?
Where Are We Today?
For many companies, a digital transformation initiative is the moment in time when they really consider how they do business today compared to previously. Rather than sticking to traditional designs and requirements, there is an opportunity to start with a blank sheet of paper and focus on the customer. Yet this change can risk throwing out some of the hard-won best practices and knowledge that already exist within the business. It’s therefore important to view digital transformation as a journey, rather than a destination.
The potential that digital transformation represents is immense and can affect our economies, our communications and last but not least our societies in a positive way. However, security has to be involved in the process and built-in from the very start, rather than bolted on afterwards.
There are therefore five essential capabilities that need to be built, strengthened or empowered around digital:
- Visibility – this translates into the ability to collect data from the different environments across IT
- Accuracy – this means not being overwhelmed by too much information without the right context
- Scale – digital transformation causes computing environments to scale up and shrink frantically, so security has to as well
- Immediacy – to get fast answers around data in a predictable fashion
- Orchestration – to transparently connect all the various platforms and technologies that a company has in place via APIs
How Can We Embed Security More Effectively?
Digital projects have some distinctive traits. To meet the need for more business agility, companies are bringing in DevOps processes to speed up how they build software or applications. So the first step for security is to understand this DevOps process and ensure it follows company best practices around security of data from the start.
While DevOps beings with internal adoption, it then opens up to entities outside the corporate perimeter, like partners and third party vendors than can fill any gaps in the process or deliver faster than you can on your own. The second step is therefore to understand these relationships and any security requirements that should be in place. Ideally, these steps should be automated as much as possible, so human error cannot enter into the process.
After these elements have been put in place, you have to consider your Security Operations and Incident Response teams as well. Nothing is perfect – even when you automate as much as possible – so when things don’t go as you expect your response must become integrated, intertwined and well-oiled.
Alongside these technical considerations, the business cares about how quickly they can deliver new services and how well customers can be served. This velocity is about the mean time it takes to deliver a service. In essence, every process needs to become measurable and represent a tangible competitive advantage.
The Move to DevSecOps & Better Software Processes
In DevOps implementations, the key process is the CI (Continuous Integration) and Continuous Deployment (CD) pipeline. To keep this process secure, CI/CD pipelines should cover two requirements.
The first is to ensure that developers can be warned about any code vulnerability that is present during the process, as this can help developers fix issues early and spot any dependencies that may come up around vulnerable software components.
It’s therefore important to integrate checks into all the tools commonly used to move the code through the different stages from initial development, through QA preproduction and testing, and finally to production.
The second action is building all the necessary tools for security into the golden images for machines or containers from the start. As and when any new software is built, there is already a level of security and accurate data collection included right from the start.
For digital transformation to work effectively, it has to deliver faster customer service and better visibility for the business. For security teams involved in this, building the right security processes and technologies in from the start is essential. Without this visibility and immediacy around your software – and without the transparent orchestration to pull this all together – digital transformations will lack security.