The Threat Landscape is Transforming: Understanding the Importance of Business-Critical App
The Cybersecurity Midwest Summit 2022, hosted by CDO Magazine and ComSpark, stands as a lighthouse in the cybersecurity domain. This breakout session, moderated by Shane MacDonald, SVP of Global Sales Engineering at Onapsis, features a discussion about the need to prioritize business-critical applications and tools while conforming to security standards in light of the changing threat landscape.
Offering their insights during “The Threat Landscape Is Transforming: Understanding the Importance of Business-Critical Apps” are the following panelists:
- Curtis Parker Field CTO, Onapsis
- Jason Allen, Director of Special Projects, Northern Kentucky University
- David Sims, Staff Vice President, Security Technology Services, Elevance Health
- Jason Kinder, Senior Director of Information Security
Sims begins the discussion by stating the need to understand the application landscape to recognize organizational assets. In a virtualized organization, apart from the computers or networking equipment, domain-naming services and cloud infrastructure are assets as well, he adds.
“The threat landscape is evolving all the time,” Parker notes. So, from a cyber perspective, codes developed within business-critical applications are inventory assets that require monitoring.
Continuing, Allen mentions data as an asset and addresses the ongoing challenge of knowing the whereabouts and nature of data.
Regarding automation from a security perspective, Sims points out that “it is possible to automate yourself out of compliance or automate yourself into trouble.” He believes it is difficult for compliant workloads to always stay in a compliant environment.
Additionally, Kinder says automation must have a learning curve and burn-in period.
Next, Allen highlights three challenges associated with the SAAS marketplace — it changes IT, business, and vendor relationships, upsets the traditional relationship model, and puts IT in a fluid role.
Parker comments that similar to leveraging SAAS applications, there are critical vulnerabilities associated with internet-facing components of SAP operating on-premise.
Allen urges IT and information security practitioners to move beyond their comfort zone. He says, “We have our business partners, trying to solve problems and do the good business of our organizations, and we need to stretch our roles to make sure that we understand those processes and we can be the safety gear for those gaps.”
Sims emphasizes the importance of collaboration in that regard. He terms the ease of getting a SAAS application in-house as “the rise of shadow IT.” During situational crises, the team discusses the SAAS side of things on the table in alignment with the business, privacy, and compliance functions, he explains.
Allen agrees that policies and processes governing the acquisition and use of SAAS applications must be crafted with policy and governance groups in mind.
The advent of the cloud has changed how an organization operates, says Sims. Consequently, there is a process of uplifting the existing workforce considering the cloud demands, he shares.
Continuing, Sim points out that organizations can demonstrate the value of their existing security programs and then prioritize understanding the SAAS platform to understand compliance.
He says, “My organization is comprised of many people we have recruited from inside the organization for their business expertise, and we have helped to transfer that information security knowledge to them to help us better protect our organization.”
Next, Parker emphasizes the importance of finding the right partner or system integrator. According to the speakers, different partners bring different expertise to the table. They note that the right partners help by securely following compliance while defining and aligning the governance standards to the organizational business roadmap.
In Allen's opinion, small organizations should strive to build good relationships and implement sustainable practices. He notes that it will be easier for such organizations to maintain their information security programs if they can keep up with governance models and compliance.
According to the speakers, business application user IDs should differ from their network IDs. Sims says consolidating IDs is preferred. Kinder says it is crucial to close the gap between some applications and the identity provider as much as possible.
Allen asserts that identity federation is intrinsic. He says, “If you can consolidate that identity into one identity broker — say, Active directory or any other directory service — it makes managing that individual identity that much easier.”
Pinpointing success tools, Sims mentions the CMDB platform. He says the trick lies in identifying the applications and the underlying infrastructure, making the Domain Name Service (DNS) fundamental.
“The dynamic inventory will be radically different from what a static inventory will look like on any given day,” Sims adds.
Kinder recommends using a web proxy to track what is running on the internet, and Allen urges organizations to use their own tools first. Parker also encourages organizations to invest in the right tools.
Allen suggests that the next generation of security practitioners surround themselves with people who creatively solve problems. Sims emphasizes that curiosity is a desirable skill apart from certifications. Parker says the threat landscape is better understood with an analytical bent. Kinder adds that being open to absorbing new information is a lucrative trait for future security professionals.