Having Your Cybersecurity And Eating It Too

The Catch 22

The very same year Marc Andreessen famously said that software was eating the world, the Chief Information Officer of the United States was announcing a major Cloud First goal. That was 2011. Five years later, as both the private and public sectors continue to adopt cloud-based software services, we’re interested in this question: how in the world do you eat cloud software?

Cybersecurity today seems to have an unfortunate Catch-22. You want to test (and re-test) your live cloud services to see if they are really secure, but testing too aggressively or frequently will disrupt, degrade, or even leave those services more vulnerable. Keeping your live services up and running is difficult: your aggressive scanning and testing is essentially eating those services — to see if they are good or bad — at the same time you are trying to keep them all in one piece.

Splitting In Half

As the title of this blog hints, running a live system and fully testing that same live system is exactly like trying to have your cybersecurity cake and eat it too — pick one, not both, or more realistically pick half of each. We’ve even heard penetration testing on a live network described as “running fast while shooting at your own feet to see if your boots are really tough enough for the journey.” (Please do not try this at home!)

boots-cyber

It’s no secret that classical vulnerability and penetration testing is filled with wise caution, legal landmines and detailed guidance to mitigate the impact on real operations and businesses. At least one way to try to maneuver around this Catch-22 requires a separate non-production environment of equivalent hardware and software. It’s not easy to keep that non-production environment up-to-date and it demands a lot of constant investment of time and money. The unfortunate reality is that such environments quickly diverge from real operational systems, making them less meaningful. It’s often double the cost for just a fraction of real cyber security benefit.

As businesses rapidly accelerate their dependence on cloud services and the federal government puts sensitive data into the cloud, achieving more secure cloud-based services is critically important. We’re all interdependent and have a shared stake in the outcome.

With a lot on the line there is no shortage of expectations – from financial sector penetration testing requirements to a new military effort calling for more proactive testing of critical operational systems. And we can’t help but mention the groundbreaking Cyber Grand Challenge using artificial intelligence based techniques.

Government Embracing The Cloud

Likewise, as security concerns cause the federal Government to step more firmly into the cloud — there’s even a cloud.gov these days after all — the government’s own penetration testing penetration has also anticipated this seeming Catch-22 in cybersecurity. The government expressly allows “testing in a non-production environment” to “limit the impact on business operations.” Then, in the same breath, they wisely require that the non-production environment be “identical to the production environment.” And to reinforce the point they even use italics, noting that the “environments must be exactly same” and not just “almost” the same. We couldn’t agree more!

The Clone

Our answer, then, to the original question — how in the world do you eat cloud software? Leverage the inherent ability of any cloud environment to generate and operate exact (cloned) image of the live systems. Then test those exact images. It’s a bit like interacting with a hologram, except in the cyber world the hologram behaves and reacts exactly like the real thing — because it is as real as the original due to the inherent design of the cloud’s serviced-based architecture. Once you’ve set up the parameters for the cloud service, it makes little sense to ask Amazon, for example, which particular servers in which racks you are running on, because it doesn’t make one bit of difference operationally.

As the cloned versions are setup, the live cloud services keep going while the cloned version is taking the heat. Even if during testing the cloned version goes down in flames, so to speak, that’s ok for two reasons. First, the live operational system is still running fine — keeping your customers and users happy — and, second, you have proactively uncovered an issue before it could have grown into an even larger, real one.

Meanwhile, you can just restart another cloned image and get right back to testing — no need to clean up or try to rewind time. And this approach works across multiple cloud platforms, whether hosted or on premises or a mix, so you can choose your cloud provider — or more likely choose a few of them. Furthermore, your existing investment in scanning, testing, and security tools can also be applied to the exact images.

We agree there’s really no silver bullet in cybersecurity, as it clearly takes a diverse range of tools and techniques to keep a system secure, but a service-based cloud infrastructure really does have one particular silver lining: by scanning and testing fully cloned images, you can have your cybersecurity and really eat it too.

By Ernesto DiGiambattista, Co-Founder and CEO, Cybric

ernesto


Prior to founding Cybric, Ernesto DiGiambattista was the Chief Technology & Security Officer for Sentinel Benefits & Financial Group, where he was responsible for transforming a legacy technology team into a technology innovation service group.

In addition, Ernesto was a senior member of Bank of America’s Information Security & Resiliency Group and Corporate Audit organizations. Further, Ernesto has been a trusted advisor on private and public cybersecurity policy to members of the U.S. Senate and the U.S. House of Representatives.

In June 2015, Ernesto was recognized by the Boston Business Journal as a 2015 Finalist for Boston CIO of the Year.

Mark Barrenechea

The Digital Era Moves Into The Information Era

We have entered the Information Era Building on the groundwork of automation, connectivity and computing power that defined digital, the Information Era is characterized by our unprecedented ability to capture, store and make sense of ...
Anita Raj

Post-COVID: What decisions are leaders taking about digital transformation in 2021?

Digital transformation in 2021 If organizations were once only talking about digital transformation (DX), in 2020, it was all about translating that talk into some real action. When the pandemic hit and businesses were disrupted, ...
Suraj Gupta

The Rise of the “Ecosystem of Ecosystems”

Ecosystems Emergence Even during these uncertain times, once fierce competitors are now collaborating and co-existing to not only survive, but thrive. Salesforce is partnering with Microsoft and AWS for better customer success. Apple is partnering ...
12 Cybersecurity CEOs On What Each Learned Leading During The Pandemic

12 Cybersecurity CEOs On What Each Learned Leading During The Pandemic

Cybersecurity CEOs’ lessons learned from navigating the pandemic provide a valuable framework for leading and growing a business through anxious, uncertain times. How each cybersecurity CEO responds to the challenges of keeping employees safe, customers ...
David Friend

Cloud 2.0 will not be Ushered in by AWS or other Cloud Giants

Cloud 2.0 Trends Amazon, Google, and Microsoft are all pursuing similar business strategies: they want it all. ‘It,’ in this case, means the entire IT infrastructure in their cloud. Furthermore, they want you to buy ...
Patrick Joggerst

Payments Companies Will Always See ROI on Embedded Real Time Communications

ROI on Embedded Real Time Communications Without secure, real time communications applications, the financial services industry could literally come to a standstill. While transactions are driven by data, the human voice and human messaging continues ...