The relationship between security and agility in IT business is quite complicated today. On one hand, traditional ITOps tend to favor more rigid approaches that guarantee safer and more secure environments – which is particularly important for some organizations that need to guarantee data security and privacy, such as banks.
On the other hand, we have the lean and agile approaches favored by DevOps that focus on flexibility and speed to guarantee a quicker performance and more customer-oriented services. Both worlds have their pros and cons, and companies must usually choose the former or the latter.
Today, however, some companies claim that they can combine these two approaches together without the need to find any compromise anymore. It’s time to have a look at these two methods, their strength, weaknesses and historical uses, and the newer approaches that (allegedly) grant the best from both worlds without renouncing anything.
The Democratization of IT – A Complex Topic
The almost complete digitalization of our society has completely transformed the way we think and approach IT security in the workplace. In the last decade, ITOps teams built much of traditional enterprise security policies on monolithic legacy networks – true fortresses whose access points could be monitored and isolated whenever a breach was detected.
However, as the word “monolithic” already suggests, the agility of these systems was roughly comparable to a slab of rock.
Today, we’re all connected together. Apps like Dropbox, Trello, SmartSheet, Slack, Skype, and many others are part of our everyday lives far beyond their “office” use. Perfectly integrated with our personal smart devices, these tools made our life so much simpler as they allow us to coordinate teams, communicate with colleagues, and manage our workload easily, efficiently, and, more importantly, quickly.
In a nutshell, they brought us a new level of agility that forever changed our work environment. Things are rarely so simple, however, and with new powers, new problems started arising.
Together with all the new security issues brought by the introduction of remote working and the shift toward distributed microservices, the use of these new apps and BYOD (Bring Your Own Device) eventually opened up a new range of vulnerabilities, security holes, and opportunities to open a breach into the system.
What’s the point of securing all entry points of a bullet-proof database when all that critical information can simply be accessed by stealing the password of one of the unsecured devices used by that forgetful employee? When the infrastructure’s security is not controlled by a specialized team anymore, it’s like erecting 200-feet-tall stone walls to protect a city from bandits, and then stash all the gold on the outside.
If a company starts mandating the use of standard issue equipment, internal apps and (best case scenario), less porous interfaces, such as Tor, instead of Chrome installed on your iPhone, well, here you go. You just killed agility and defeated the point.
Don’t Keep Your Head in the Clouds
The shift toward public clouds represented a revolutionary evolution of IT infrastructures that provided many organizations with unexpected levels of scalability. Workloads could be migrated on demand, and capital expenditures could be finally reduced by minimizing the investments required to upgrade the infrastructures.
Once again, the newly acquired agility inflicted a mortal wound to all past security strategies. The same transformation that provided enterprises with the so-much needed flexibility required by the ever-changing customers market literally disintegrated the traditional Applications + Infrastructure formula that allowed for tightly-secured systems.
The whole concept of “agility” quickly became the alpha and omega of all vulnerabilities as governance, security, and reliability were all thrown out of the window – at least in the beginning. Humans are really smart, after all, and found a way to bridge the gap. New solutions have been proposed to keep up with the times and balance security and agility together well enough.
Using AI and ML to Protect Cloud-Based Databases
One of the latest trends of 2019 can be summarized in one sentence “if there’s a problem that could not be solved, you should probably use AI.” At least for the issues that came with the territory with distributed environments and cloud-based databases, AI-based technologies have already came to the rescue.
A solid use case is the one brought forward by Imperva, a company that employs a broad range of technologies, such as behavior analytics, machine learning, and peer group analysis to ensure tight security is maintained even in the most agile cloud or platform as a service (PaaS) environments, such as Azure SQL. Their Data Activity Monitoring (DAM) system runs continuous data analysis activities across all networks. All data is audited in real-time so that threats are identified proactively, vulnerabilities are mapped and assessed, and sensitive data is masked using multiple transformation techniques.
IT Operations Analytics (ITOA) – The evolution of ITOps
Another solution devised by ITOps departments to keep up with the pace, was to “evolve” themselves (like Pokémons) into a new, more agile form by exploiting IT Operations Analytics (ITOA). Drawing from the massive amounts of logs extracted from day-to-day IT operations, ITOA is able to provide enterprises with a new layer of agility by digesting all this information to produce precious data-driven business insights.
ITOA is uses automation to parse through centralized logs gathered from infrastructure and software agents live monitoring. Once digested, this data can be used to improve the efficiency and security of an organization’s infrastructure proactively. ITOA provides a holistic view of a system that can be used to mitigate damage, speed up root cause analysis, and integrate all aspects of IT operations.
Isolating Secure Ecosystems
Another approach that seemingly promises to strike a good balance between security and agility is the so-called dynamic isolation, a change spearheaded by companies, such as Apprenda and Appdome. The idea is to create secure environments where the most sensitive data is run in isolation (think about HIPAA, PII, ITAR, etc.).
Everything else is run freely in much more flexible private or public clouds to allow a serene coexistence of agile environments and highly secure ones, since they can swap from one to the other in a minute. Mobile Application Management (MAM) and Mobile Device Management (MDM) allow to exert full control on the devices used within an organization, locking all data within the apps.
Integrated solutions provide the necessary degree of agility by allowing dynamically isolated environments where Android and iOS apps use only the secure browsers, emails, and apps from each MDM-MAM vendor.
Things are changing at incredible speed. Just a couple of years ago we were struggling with rigid infrastructures that lacked the necessary agility to comply with modern customer standards. Then we had to find the correct balance between security and agility. Now we keep finding so many solutions, that this conundrum has probably already become obsolete in 2019.