From Situational Awareness to Application Security: Questions for John Donovan
I sat down with John Donovan, who leads Information Security at Illumio, to talk about what he sees as key trends in security now, and what we’ll still be paying attention to in 10 years.
What are you seeing as a key element of security today?
Organizations that are either entirely or primarily in the cloud, or built on Software-as-a-Service applications, can’t really take the posture of putting in big walls and gateways to understand what’s coming into and going out of the organization.
Just before this interview, I was listening to the keynote Alex Stamos did for AppSec California 2015. He puts up a really interesting diagram that shows why web-scale companies especially can’t just put a traditional firewall in and try to connect everything up around it. He showed one picture on the power consumption alone to cover the entire network they needed. It was ridiculous.
We’re really getting to the point where security needs to — and can — enable and adapt to the business.
What trends do you expect to continue for the next five to 10 years?
- The move to the cloud is going to continue. We’re going to have a number of companies and organizations that are still going to keep and build out private areas using all of the techniques and technology that the web-scale folks are using. So even in a private data center, the whole web-scale architecture is going to be an important component.
- The horse is definitely out of the barn with DevOps. When you move so quickly, you actually must have more discipline. You can’t just mess around when you’re in a development environment and then tighten things up when you go to production, because you’re always moving to production. So you need to make sure that those checks are in place kind of all the time. DevOps also provides a very interesting challenge to auditors who really like to see separation and structure.
- We’ll certainly see threats continue, with state actors being involved. The criminals are going where the money is, and they’re getting better and better at it, which makes it really tough to play the defender’s game. This may be more of a hope than an actual trend, but I hope that we, as folks that are trying to secure our environments, get smarter at figuring how to collaborate. We have to figure out how to adapt and be as quick — hopefully quicker — than the criminals are.
- Finally, there’s the whole idea of crowd sourcing security. People are putting out what they call bug bounties. And there are a couple of different companies that are making a business around sourcing people and saying, “All right, for your company, you know, we’ll say there’s a two-month period and we’ll supply you with a hundred well-qualified researchers over the next two months to try to find problems in your application.” We have to figure out how to get better at helping each other out, so I’m curious to see what direction this crowd sourcing in security takes.
In terms of threats, do you see both the private and the public sectors having the same struggles?
Certainly some of the revelations we saw from Snowden and other disclosures that are out there let us see some of the things that have been going on in the back end. In a lot of cases, we’re dealing with the same set of bad actors.
Now, the people who are attacking government agencies may be different than those that might be going after a corporation, but in some cases they’re the same. The industrial espionage and organized attacks from different nation-states is a commonality.
One of the big struggles, and an interesting developing thing, is that a lot of law enforcement is really trying to figure out how they can keep their capability to spy on the “bad guys.” That potentially puts government and the private sector at odds — individuals want to keep their stuff private and personal.
What types of security skills do you see non-security IT people needing?
First would be a better understanding of social engineering and situational awareness — which every employee needs to have, regardless of their function. Don’t open up that attachment that came from someone you didn’t know about. Don’t click on a link that came in an email from your bank if they say there’s a problem with your account. Make sure that you are aware of who is listening in when you’re having a conversation in public setting. And look out for that “free public Wi-Fi” that seems too good to be true.
Beyond that, it really depends on where you are inside the IT arena. If you’re on the operations side, it helps to have a good of understanding of things like security baselines. A lot of what security does for folks on the operations side is make it so they don’t have to deal with as many problems. Security helps to lock down things and ensure there aren’t as many operational issues.
If you’re more on the development side, make sure that you design with security in mind. There are a lot of bad patterns that we really can avoid. You hear a bunch of things like cross-site scripting and SQL injection on the application side. Really, from the ground up, you need to make sure that you’re following some good patterns. Security needs to be designed and built in, just like your functional requirements.
What are the top three areas that CISOs or heads of security should be looking at right now?
- Application security is one component. You have to make sure that security is getting involved in the applications that you’re developing. And you should be looking at your vendors, to make sure they’re getting their applications security tested.
- Second is definitely infrastructure. CISOs need to make sure that what they’re putting in place is appropriate, that it enables their business, and really adapts to it. We talked earlier about the idea of adaptive security. CISOs need to be able to put infrastructure in place that can survive the changes in the environments that will inevitably come — whether they have a data center, or they’re in the cloud.
- The last, and perhaps most important one, is people. The security is only as good as all the people that are involved with it. And CISOs definitely need to make sure that everyone knows they have a role in security in their company.
Originally published at www.illumio.com.