By Gregg Ostrowski, CTO Advisor, Cisco AppDynamics
Within many IT departments, security teams (SecOps) have traditionally operated in isolation from other functions such as DevOps and ITOps. And when it comes to application development, security has often only been brought in at the very end of the development pipeline, rather than being integrated into the application lifecycle from the outset.
But the shortcomings of this siloed approach are being ruthlessly exposed as organizations ramp up their use of cloud native technologies to meet their digital transformation objectives. The shift to modern applications is resulting in a huge expansion in attack surfaces and most organizations don’t have the right tools, insights and ways of working to effectively counter the heightened threats they are now facing.
In response, IT departments urgently need to adopt a more collaborative and proactive approach to application security, where security is integrated into the application lifecycle from the outset, rather than being an afterthought at the end of the development pipeline. And alongside this move to a DevSecOps model, IT teams also need new tools and insights to effectively monitor modern applications.
Business risk observability provides IT teams with expanded visibility into cloud native environments and, crucially, it provides business context to security intelligence. This enables teams to quickly assess risk and prioritize remediation based on potential impact to the business. As such, business risk observability is the only way for organizations to bring applications and security teams together to secure development and deployments of modern applications.
IT teams struggling to cope with rising threat levels within cloud native environments
Across almost every industry, organizations are facing an explosion of security events. A study from Red Hat found that 93% of businesses have experienced at least one security incident in their Kubernetes environments in the past 12 months and 31% have experienced financial or customer loss as a result.
Bad actors are recognizing the opportunity to target Kubernetes clusters, large numbers of which are reportedly openly accessible and unprotected. Worryingly, many of these clusters house a wide array of sensitive and valuable assets such as customer data, financial records, intellectual property and access credentials.
Application security is fast becoming a critical concern for organizations and it’s understandably causing a huge amount of stress and anxiety for those technologists responsible for developing, protecting and maintaining applications and digital services.
Unfortunately, this challenge will only be exacerbated over the coming years as organizations ramp up their deployment of cloud native technologies to achieve their digital transformation goals. If businesses are to find a sustainable approach to innovation, then they have to tackle this application security challenge now.
The limitations of current application security approaches
In many organizations, application security hasn’t kept pace with the accelerated pace of innovation that we’ve seen over recent years. In a recent Cisco study, 92% of global technologists admitted that the rush to rapidly innovate and respond to the changing needs of customers has come at the expense of robust application security during software development.
The result is that IT teams now have major visibility gaps into Kubernetes environments and most are still working with siloed vulnerability scanning tools which don’t generate a comprehensive view of their organization’s security posture. Technologists are being bombarded with security alerts from across the application landscape but they can’t cut through the noise to quickly analyze issues and understand the level of risk.
Indeed, the same study from Cisco found that 59% of technologists feel overwhelmed by the volume of security threats and vulnerabilities to their organization — they simply don’t have the insights and resources required to manage an ever more complex application security landscape.
But beyond tools and technologies, there is also a more fundamental, cultural issue which is hindering security efforts within many IT departments. Fragmented structures and working practices mean that ITOps and security teams are still operating entirely separately. In many cases, the only time teams collaborate is when a potential issue is identified — essentially, when it’s already too late. The result is teams are stuck on the back foot, scrambling to detect and understand vulnerabilities, and without the structures and processes to work together effectively.
Inevitably, organizations are becoming increasingly vulnerable to a security breach, with all of the implications this brings in terms of lost customers, revenue and reputation. With applications now the front door for nearly all businesses, and digital experience the foundation for brand trust and loyalty, any kind of security incident can be catastrophic.
Business risk observability is key to bringing IT teams together to mitigate business risk
The first thing that IT teams need in order to get to grips with this application security challenge is expanded visibility into Kubernetes environments. Technologists need to be able to locate and highlight security issues across application entities (including business transactions, services, workload, pods and containers). Entity level correlation allows technologists to rapidly isolate issues and apply fixes, improving mean time to detect (MTTD) and mean time to remediation (MTTR).
But such is the volume of alerts coming from an ever more dynamic and dispersed application landscape, this type of unified visibility on its own isn’t enough.
IT teams also need business context on their security findings, combining application performance data and business impact context with vulnerability detection and security intelligence. This type of business risk observability enables IT teams to easily identify which business transactions present the greatest risk to the business. Technologists can get immediate access to a business risk score for all vulnerabilities so that they can prioritize the issues which could do most damage to the business — for example, those which relate to application entities which contain sensitive customer or third party data or those which are critical to payment transactions.
Arguably, the greatest long-term benefit of business risk observability is that it breaks down silos and entrenched mindsets within the IT department. It brings applications and security teams together around trusted data and insights, and provides a platform for organizations to move to a more integrated approach to security throughout the application lifecycle. By incorporating security testing from the outset of the development process, security teams can analyze and assess security risks and priorities, during planning phases, to lay the foundation for smooth development. And development teams can easily adhere to their organization’s most critical security priorities.
The benefits of enhanced collaboration within the IT department are potentially game-changing for organizations. With their very best IT talent united around shared objectives and a common purpose, businesses can accelerate their speed to innovation and deliver ever more intuitive and seamless application experiences to customers and employees alike.
Ultimately, by implementing business risk observability and moving to an integrated approach to application security, IT departments can be more proactive around application security, building and maintaining more secure products and focusing their time and skills on the things that matter most to customers and the business. And organizations can establish a more sustainable approach to innovation, reaping the benefits of cloud native technologies while mitigating risk at every step.