Cloud IT with a Chance of Meatballs?

Jeff Wright, VP and CISO, Allstate [NYSE: ALL], Jeff Wright is Vice President and Chief Information Security Officer for Allstate Insurance Company. In this role he is responsible for the enterprise...  More >>

Discussions around Cloud computing and related development methodologies like Agile, XP and Scrum have grown to dominate the agendas of today’s technology and business meetings.  Companies are looking to adopt cloud solutions and “re-factor” code that runs major applications in order to be able to reduce the expense associated with traditional data centers, and take advantage of the resiliency and scalability that cloud enabled computing environments can offer. These new methodologies like Agile and XP promise faster development and deployment timeframes with heavy partnership between business and technology teams to iterate quickly from concept to MVP (minimally viable product). But how does the adoption of these new strategies help us in the constantly evolving cybersecurity battlefield?

One point of view might be to worry about what this means to a corporation’s information security profile. It would not be incorrect to consider how the speed, with which applications are being developed or the infrastructure hosting these applications are impacting the overall security posture of the company. Alternatively, you might think that with the likes of IBM, Microsoft and Amazon offering robust enterprise-class cloud services that they have first-hand experience dealing with most sophisticated threat actors, and have developed cutting edge security solutions to bolster your legacy in-house security controls, positioning you a step ahead of those that seek to do you harm.

  A safe and successful leap into cloud based computing requires you to modify the way in which you view your technology assets 

The reality, as it often does, lies somewhere in between. A safe and successful leap into cloud based computing requires you to modify the way in which you view your technology assets. From a perspective often based on silos like storage, server, network and security (to name a few), to a more data-centric architecture where you examine the levels of trust or confidence you want to maintain for certain data elements. 

In the application development space, companies have modified their Software Development Lifecycle (SDLC) to incorporate code scanning tools that evaluate source code for vulnerabilities.  Most have also embraced the practice of performing penetration tests against their applications to identify vulnerabilities before the hackers can exploit them. But how do you scale services like these when code is being developed and deployed multiple times a week as is often the case with the more extreme versions of Agile and XP?

The answers to these and other challenges may lie in a rigorous adoption of standards and the development of patterns to which they are applied. Take for example the Payment Card Industry’s Data Security Standards (PCI DSS); these standards place a high value on preserving the sanctity of payment card information. Countless applications and technology environments have undergone massive re-designs in order to protect the confidentiality of card information from the point at which it’s received from the customer through completion of the transaction.  Applications have been dissected and re-written, databases divided–virtually and physically, pallets of new infrastructure have been integrated in our data centers, and let us not forget about the levels of encryption and tokenization, all in order to enable the safe acquisition and processing of payment card data. Now consider applying this same level of engineering discipline to your complex core business application and you begin to appreciate how a data-centric view of your environment will be critical to the successful adoption of cloud technology.

Relentless adherence to industry standards for technology and development practices, allows for the creation and re-use of patterns in your environment, very much like what’s been done with PCI. These standards-based patterns can then be leveraged by architectures that may be on premise, in the cloud or a hybrid of both.

When security, as viewed from the data element or entitlement level is a principle of these patterns, it becomes part of the DNA of an organization’s technology environment, enabling in many ways for security to match the speed with which business-driven technology solutions are developed in an Agile, cloud based world.

The ingenuity required to achieve this and the integration with key business drivers, if executed properly presents a unique opportunity to re-establish your security footing, ensure more scalable and resilient computing capabilities and perhaps get a step ahead of a threat landscape that is constantly evolving and always moving.