We Asked our Engineering Experts Your Security Questions
Posted January 5, 2023 by Sayers
Security gaps, native security in the cloud, multi-cloud deployments and other hot topics drew an internal audience of Sayers employees to a recent Q&A panel discussion featuring our own engineering experts.
Here we’ve captured highlights to help as you consider your own organizations’ security posture and journey to the cloud.
What Is The Biggest Deficiency Within Most Organizations’ Security Programs?
The weakest link in your company’s cybersecurity could be an inadequate tool, a faulty process, the slow churn of bureaucracy, or counter-productive internal politics.
Or, it could be something even more basic. Chris Willis, VP of Cybersecurity and Network Engineering at Sayers, says security fundamentals are often where organizations make a misstep.
“Organizations are not following simple foundational things like the Center for Internet Security (CIS) Critical Security Controls,” Willis says. “Top of the CIS list is asset management (enterprise assets and software assets). Axonius solves that problem, but it’s amazing how many clients we go into that don’t know how many assets they have deployed. It’s the simple things not being done, and these things are easily attainable with simple security assessments.”
“By doing cyber defense framework assessments, building up heat maps, and utilizing the NIST cybersecurity framework, we can identify where there’s an overlap of security tools and where the gaps or deficiencies are. An assessment for one of our clients revealed a 30% tool overlap. That’s a lot of money they were spending that they can instead save, and then put that savings into the gaps and deficiencies.”
Ken Wisniewski, Sayers Senior Security Architect, sees the biggest deficiency as a misunderstanding of security’s role.
“Often it’s a lack of support and collaboration with the security organization within the business,” says Wisniewski. “Security is too often seen as a roadblock causing delay in a rollout or business process. Security instead needs to have buy-in, collaboration, and support. When security is seen as an enabler for the business to continue what they’re doing in a secure and efficient manner, then you’re going to have much more success. But if it’s seen as a roadblock or cost center, then you’re not going to achieve the outcomes you want.”
In The Journey To Cloud, Are Native Security Offerings Enough?
Cloud service providers offer an array of native security tools and services such as those available from Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Examples include application firewalls, secure storage for cryptographic keys and passwords, and identity management for your apps.
“Microsoft has come a long way and offers very competitive offerings in the security information and event management (SIEM), endpoint security, and cloud security space, addressing areas such as workload protection and posture management,” says Wisniewski. “Where CSPs have struggled is in the ease of use for those technologies.”
According to Willis, “Every CSP has some deficiencies. We have to augment them where it makes sense, whether it’s security for endpoints, email, or cloud. Go ahead and use the native controls and functionality available to you, but you’ll need to augment it with point solutions or other technologies that are really focused on that feature.”
Mark McCully, Senior Solutions Architect at Sayers, sees security needs continuing to evolve as organizations take a multi-cloud approach. “A company might be in Azure now, but in three years they might be multi-cloud,” he says. “Instead of a native tool that’s tied to just one CSP, a third-party solution could do it all.”
Will Multi-Cloud Deployments Become The Norm?
While some organizations are going all-in with a single cloud service provider such as AWS or Microsoft Azure, others are taking a multi-cloud approach and spreading their workloads among multiple public CSPs.
Which path to take depends on several factors including the company’s maturity level, types of workloads, automation needs, business objectives, and resources.
“For some organizations, their corporate standard may be Azure, but they’ll have a business unit somewhere that has a little pocket out in AWS or GCP,” says Wisniewski. “But to get to that Shangri-La vision of multi-cloud, you have to have that skillset across all those stacks in all of those clouds. Plus, there are a lot of differences between the cloud providers with respect to security and networking.”
With industry analysts such as Gartner talking extensively about multi-cloud, Mark McCully expects a multi-cloud wave at some point.
“It depends on the company’s maturity level, and their path to the cloud,” McCully says. “Eventually, most companies are going to want to container and automate their infrastructure and make it composable.”
Trying to decide which workload should go into which cloud? An experienced technology partner can provide the guidance you need.
If You Could Have Only One Or Two Security Controls, Which Would You Choose?
One or two security controls in your organization’s environment aren’t enough for today’s cybersecurity needs. But we asked these Sayers engineering experts which ones they view as their top picks.
Willis: “Definitely identity (management and access control) will be at the top, especially as you move to cloud. There’s obviously a lot more you have to do, but that’s where I would start.”
McCully: “I’d say perimeter security – a good firewall. And I would agree with identity, so those would be my top two.”
Wisniewski: “I would probably go with patching and multi-factor authentication.”
Questions? Contact us at Sayers today. We offer extensive solutions and expertise to cover all areas of your business.