In-brief: Despite the benefits of the DevOps paradigm and application virtualization in software products’ lifecycle, security professionals believe that in combination with cloud computing the two methods increase the complexity of the corporate network, making it more difficult to defend, the cyber security assurance report from Tenable Network Security outlines.
A wave of change in the way technology is deployed and consumed is washing over organizations in the private and public sector, creating fantastic new opportunities and driving down costs. But that same wave is also making things topsy-turvy for information security professionals, according to a new survey released by the firm Tenable Network Security.
The survey of 700 cybersecurity professionals found that they have little confidence in an organization’s ability to assess risks, as changes wrought by developments like the DevOps movement, application containerization, mobility and the cloud combine to obscure IT risk.
The poll was conducted by Tenable and involved professionals in nine countries: the US, Canada, India, Singapore, Australia, Japan, UK, France, and Germany. Respondents worked in one of 19 industries, including education, financial services, government, health care and retail. Among the conclusions: the embrace of DevOps methodologies is making information security staff nervous.
Although it is not easy to provide a standard definition for DevOps, the methodology is supposed to weave into the development process the skills necessary for creating a product that is robust and reliable both functionally and from a security perspective. The model also relies on automation for scaling, efficiency and reduced time to release. If implemented correctly, the advantages of the DevOps approach are significant. Bank of America, for example, claimed a six-fold reduction in production defects and 25 times faster release, while Ticketmaster boasted a 90% cut down in mean-time-to-repair (MTTR). From a security perspective the correct method is to integrate security at an early stage of design and implementation in order to improve the code that gets committed.
Software application containerization, also, is being driven by the need for greater efficiency and lower costs. Containerization is also considered to have security benefits, as each container isolates applications from each other and from the underlying infrastructure. However, the security professionals surveyed by Tenable identified containerization platforms and DevOps environments as the infrastructure components that are the most difficult to assess for cybersecurity risk. Both received a failing global grade from survey respondents (52% and 57%, respectively).
“Complicated by the constantly evolving and multiplying threat landscape — cited for the second year in a row as the number one challenge for security pros — this heightened technological complexity is creating even more opportunity for attackers to exploit gaps in security coverage, leaving all organizations vulnerable to compromise and breach, regardless of the size of their security investments,” the report notes.
Those weren’t the only technologies to receive a failing grade. Mobile devices were identified as a threat to a company infrastructure, with survey respondents assigning a risk assessment score of 57% to mobile devices, also, saying they contributed to a lack of network visibility. Employee-friendly “bring-your-own-device” (BYOD) policies were not seen as a salvation. The IT security pros considered visibility into both the mobile device owners and the device itself as an important prerequisite for maintaining good network visibility.
Compared with previous surveys on the same topic, information security pros showed lower confidence when asked about the security of web applications. Participants gave web applications a grade of “60” out of 100, compared with 78 out of 100 last year. “The ability to access these services online and from mobile phones puts them right at users’ fingertips, but also creates new security challenges,” the report from Tenable explains.
The security of other, key components of enterprise networks fared about the same. Cloud environments received a grade of 60% out of 100%.The security of physical servers received a grade of 64% out of 100, while the security of virtual servers was only slightly better: 65% out of 100%. Desktop and laptop PCs, network infrastructure and network perimeter security were all rated in the low to mid-60s, suggesting that discontent with the state of enterprise IT security isn’t concentrated on any one technology.
Culture played a part, not surprisingly, as grades tended fluctuate based on country. Germany and Japan, for example, issued the toughest self assessments and the lowest risk assessment scores. Germany’s Risk Assessment score dropped by 25 points to 44% – a solid while German professionals confidence in security assurance ticked up 5 points to 79%. Still, the overall score for security was a 62% (D-), Tenable said.
Information security pros in Japan were pessimistic as well, assigning themselves the lowest Security Assurance score by a full eight points: 52% out of 100% – another F and 27 points off the global average. Respondents from India, the U.S., Singapore, France and Canada tended to be sunnier, with average grades in the high 60s to low 70s.
Looking at cyber risk by industry, health care, financial services, government and manufacturing all received failing grades (54 % for healthcare and 59% for the other industries). The report also provides scores for the security assurance index, which measures confidence in the ability to deal with threats by simply investing in the security infrastructure and commitment from the executive level and the board.
Information security professionals expressed slightly more trust in measuring the effectiveness of the security layers implemented (83%) and in the involvement of senior managers and the board towards improving the defense mechanisms (77%). However, communication of the risks involved suffered a 3 point drop to 80% this year, but still a good score. The lowest score was recorded for aggregating risk intelligence (73%), a newly introduced gauge that might be seen as a warning sign for the growing security threat intelligence industry. Information security pros were also ware of their ability to monitor network risks continuously and align security with business. Both received a confidence score of 79% out of 100%.
According to the report, the surveyed showed good morale about their organization’s capacity to protect itself from cyber-attacks, with 43% of those surveyed reporting that they felt “somewhat more optimistic” and 22% declaring a “significant level of optimism.” This, despite citing closely ranked daily hostilities they have to face, like “overwhelming cyber threat environment,” “low security awareness among employees,” “lack of network visibility (shadow IT, BYOD),” insufficient staff and budget, lack of effective security tools and reporting.
Indeed, the overall outlook of the report was not encouraging, Tenable notes.
“The situation appears dire as the world enters 2017, with data reflecting an overall decline in global cyber readiness fueled by a pronounced inability to assess and mitigate cyber risks for the new and evolving IT landscape,” the report notes. “It is more critical now than ever before that businesses and government organizations everywhere not only understand the threats aligned against them, but that they also possess a realistic assessment of their own cybersecurity strengths and weaknesses.”