Government guidance is helping CISOs impose controls on DevOps' cloud flexibility

Security staff must engage the business to bake security into cloud architectures, expert warns

The Australian government's progressive attitude towards cybersecurity policy has helped it join financial-services giants at the forefront of a booming information-security industry, the president of network-scanning giant Tenable Network Security has said in noting that the company's Australian operations continue to lead the Asia-Pacific market.

Australia is “our strongest market by far”, president and chief operating officer Jack Huffard recently told CSO Australia, with nearly a quarter of the company's Asia-Pacific staff based here and government and financial-services companies proving to be “pretty progressive” in formalising policy and technological protections against cybersecurity intrusions.

A key part of those protections was focused on finding ways to help tighten controls over DevOps capabilities that now allow enterprise environments to be grown and shrunk with a few clicks. This capability, Huffard said, needs to be constrained both with policies around deployment and management of new resources, and the ability to extend monitoring into virtualised workloads both on premises and in the cloud. “We're doing a lot of significant R&D to invest in the ability to secure the DevOps world,” Huffard said.

“We want to help CISOs understand that as they move their organisations to the cloud, they're going to have the ability to make sure that containers, or other things produced in applications, are released in a secure way.” The need for such control is escalating as architectures built around microsegmentation significantly increase organisations' investment in virtualisation technology – which must be tempered with readily manageable and scalable controls to maintain acceptable security levels across rapidly changing enterprise environments.

The key to ensuring this capability is in place comes from integrating security controls into virtual elements as they are created: “The DevOps world is pushing fast,” Huffard said. “They can create an app and push it to AWS and there's no other path it has to go through.” That flexibility empowered DevOps to rapidly produce and deploy “amazing” capabilities but it also put a new burden on security staff: “That's a tough place to be if you're a security guy,” he said.

Security “is not about pausing that [innovation]; it's just about making the development of the applications go through a process that has secure configurations attached to it.” Given that this process is necessarily being positioned as a fundamental part of development in the cloud era – a mandate for security is core to the Digital Transformation Office's (DTO's) Digital Service Standard – government leadership in this area has proven to be a catalyst for research and private-sector thinking about how to formally execute 'secure by design' mandates.

“Government are coming around with these controls that are really well thought out,” Huffard said, “and these are being adopted by enterprises as a strategic way to think about operating their networks.” “Collaboration between research organisations in the governments about what are the right controls to have – and then having senior leadership talking about having something to measure how good and bad they are – is helping people get their arms around the situation.”

Failing to do so will leave businesses' computing infrastructure expanding in all directions without any mechanism to see what's going on in the new components. And that, Huffard warned, is where cracks quickly form. “Cloud networks are giving so much new capability to businesses that we want to make sure they can make the transformation as seamless as possible,” Huffard said. “Hackers live in the space between when you patch, scan, and do anything – which is why we are focused on visibility. We've brought a lot of technology to bear to remove those gaps and make your security posture more real-time. If you can't see it, you can't secure it.”

Tenable has long leaned on government guidance to help keep its products business-relevant, for example building the often-discussed Top Four Australian Signals Directorate (ASD) strategies into its SecurityCenter Continuous View Dashboard. “The cloud is coming in with more velocity than most people think,” Huffard said. “In the last six months our conversations [with customers] have really picked up. At the end of the day, we want CISOs to be able to go to the CEO and say 'yes, we are secure – not only on premises but also in the cloud'.”

“That's going to take some really hard work, and a lot of new technologies and processes; it takes a lot of different types of sensors on the network to give you a true sense of your entire enterprise. But we have innovated around the continuous collection of data, and we will do the same thing for the cloud world.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurity policyAustralian Government Cyber Security Strategysecurity staffDevopscloud flexibilitycloud securityCISOsAustralian Governmentcyber security

More about AWSCSOTenableTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts