Raygun sponsored this podcast.
We want to move fast — that’s what agile software development and DevOps is all about — but how do we move fast without sacrificing security? Are we mistaking availability for security? This dichotomy and the challenge of security management has only become more severe as enterprises enable developers to release daily, and distributed systems and sophisticated attacks make it all much more complicated.
Reuven Harrison, CTO and co-founder of Tufin Technologies, talks on The New Stack Makers podcast about what 16 years in enterprise security policy management looks like.
Harrison said this security management has always begun with identifying business processes that enable efficient and effective security. It’s just now there are thousands of security vendors and hundreds of different tools to address cyber attacks. That’s why he argues automation is key, yet security is still lagging in this area.
“What happened over time is that IT started to get automated, and later on, this whole concept of DevOps evolved and things got even more automated in the cloud. Security kind of stayed behind. It was still manual and still is to a very large extent,” Harrison said.
But if you are doing security manually, with someone looking at each change, he continued, you are either slowing down business goals or compromising on security. Harrison argues automation closes this risk gap.
The current state of security policy management has tooling scan for all the policies both on-premise and in the hybrid cloud and visualizes the connections. The next generation is embedding security automation into the continuous integration and continuous delivery (CICD) pipeline. A la infrastructure as code, this “policy as code” is an automated generation of policies within the pipeline. Then the generated policy is manually or eventually automatically reviewed. CICD has you releasing multiple times a day and with this, you would generate a policy at for each release, following traditional “No more, no less” rule of only providing access to precisely what is necessary.
Harrison goes onto explain how Kubernetes is a great way to control the full stack end to end with isolated, independent environments, each with its own namespace and instance. With Kubernetes, it’s easy to create, run, and automate tests in the CICD pipeline, and then include and visualize security policies along with it all.
He says that in the old world we had to differentiate traffic to each app, but in the new, you have to have your traffic and security all mapped out ahead.
The next iteration will see people automating incident management. Harrison said the enforcement mode is already available in some Tufin tech, but people usually choose to remain on learning mode, where their security policies are on alert but not automatically addressed. He says this is because the biggest fear is that if you lock down everything, it’ll then break with a much bigger blast radius.
This is why there’s a growing trend of microsegmentation. What used to be firewalls and the location of the user is now offering zero trust, with every request to access a network resource having to be authenticated and authorized.
Harrison ends the conversation by talking about how service meshes and especially Istio service meshes create an overlay network that sits between your microservices. Like an actual mesh material, it’s transparent to developers and comes with tooling that makes it easy to map out what he calls “sidecar architecture” and to provide performance, monitoring, and security, so everyone not only knows how traffic is but has visibility into what is causing the problem.
“At the end of the day, it’s just infrastructure providing services and applications, and you need to control who can talk to whom,” Harrison said.
In this edition:
2:16: What has to change in a company culture to then make those changes in a software policy, because I’m sure one reflects the other?
6:38: Exploring the power of automation.
9:42: How many companies are actually moving forward and doing this now?
13:12: Does it have the next step that if it’s not legitimate is it flagging to other people, is there incident response, or does it completely take down something that is flagged as going against the security policies?
16:15: So, in a way, the enforcement mode would be less permissive than a firewall?
21:59: What is one thing our listeners can do to help someone else get a leg up in the tech industry?