Rethinking Trust in Cloud Security
From cloud security providers to open source, trust has become a staple from which an organization’s security is built. But with the rise of cloud native technologies, the new ways of building applications are challenging the traditional approaches to security. The changing cloud native landscape is requiring broader security coverage across the technology stack and more contextual awareness of the environment. So how should DevOps and InfoSec teams across commercial businesses and governments rethink their security approach?
In this episode of The New Stack Makers podcast, Tom Bossert, president of Trinity Cyber (and former Homeland Security Advisor to two Presidents); Patrick Hylant, client executive of VMware; and Chenxi Wang, managing general partner, Rain Capital discuss how businesses and the U.S. government can adapt to the evolving threat landscape, including new initiatives and lessons that can be applied in this high-risk environment.
As IT environments are modernized, challenges around cybersecurity and new technologies surface but what’s changing this time is, “understanding where software and hardware came from, and who’s touched it along the path. That just hasn’t existed for a long time, especially in open source,” said Douglas.
“Open source is not bad. In fact, open source is good. And sometimes it gets a bad name,” said Bossert. But when it comes to cybersecurity, the issue is “Most operators need better tools to gain more contextual visibility,” Bossert added. Getting them through open source is likely to be faster than the traditional investment, he said.
“If you don’t leverage already developed open-source libraries, you’re not going to compete,” said Wang. “Open source is proliferating. We need to know where they are; we need to know which software uses which library. And SBOM is one method to get there,” Wang added.
But as open source becomes the mainstream, the line of trust between partners and adversaries will shift. “We’re going to start seeing the fracturing along geopolitical lines creep into the fracturing of the internet. And those rules amongst different trust circles are going to create problems for this model,” said Hylant.
Despite the Biden Administration’s cybersecurity executive order to improve the software supply chain, “We’re not seeing as many requirements in the industry as I thought we ought to be doing on SBOMs. Only around 15% of software providers have heard of it,” said Wang. “But even if all my products come with SBOM — I don’t know where they are. I don’t know how to manage or read them,” Wang added.
Ultimately, while security strategy across cloud native environments is shifting with geopolitical risks “We need to incentivize some risk-taking in the name of innovation,” said Bossert.