In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on.
Here’s a transcript of the podcast for your convenience.
Hello, my name is Marco Rottigni and I work for Qualys as a Chief Technical Security Officer for EMEA. I’m here today with Help Net Security for a podcast about the importance of IT asset management within digital transformation processes, and why this IT asset management is so crucially important to understand what you have, and how to build security in versus bolting it on. That is undoubtedly a more costly and dangerous process.
Digital transformation is actually an IT process and it presents very often some distinctive traits, such as the cloud adoption in private or public format, which again adds fog to this visibility of what you have across your digital landscape.
Enterprise on-premise data centers are still there and for a reason, but they got enriched with tiny little things called the Internet of Things, that may not be as monitorable and as controllable as other devices that we are more keen on, or we were more keen on.
Then there is enterprise mobility. That means that corporate owned devices are allowing businesses to get in touch directly with customers. For example, I was recently in a phone shop and I was given a tablet and I was told to describe myself, profile myself on that tablet, to allow the people at the shop to provide a more fine-tuned service – which was great, but still I thought “wow, I am a person from outer space and now I am touching something that is directly connected with sensible data from me and from other customers, which are extremely relevant for this company.” If we think about GDPR, how threatening this scenario could be, and then if we map GDPR to business, again how distant are these two environments.
Digital transformation creates also some challenges with respect to security. The biggest and foremost one, and that’s why IT asset management is so crucially important, is organizations very often don’t know how many assets they have. They don’t know when these assets are running, they don’t know where these assets are running, and they don’t know how to consume data that may be relevant for security and non-security purposes. There are other challenges for security, for example, credential issues or authentication failures. But let’s concentrate now about those closer to the so-called discovery phase and visibility phase that are so crucially important.
I still remember a funny post that I saw on Twitter a few weeks ago with a CISO asking how many Windows holes that we have? The first reply came from the antivirus guy that said: “We have 7864 devices sharp.” Then the desktop management people came in and said: “No, it’s 6321.” Then the CMDB team says: “Look, we are the single source of truth and the number of devices is 4848 sharp.”
We’re not deviating by one or two devices, we are deviating by thousands of devices, which describes perfectly the concept of a non-existing single source of truth across organizations today, when it comes to how many devices do I have, or do I manage, or do I own. And that creates the need for having a visibility, capability, severity strengthened like a boosted, fostered, grounded on solid data, but more importantly grounded on eyes that allows you to observe your digital environment with a proper level of specialization.
If we consider a standard digital environment for a medium enterprise, it is certainly made by workstations and servers on prem, or within the corporate stricter perimeter. Then if we consider the cloud, we may have some platforms or servers that have been virtualized there, or maybe the cloud adoption has already gone to some extreme, like decoupling or disassembling a computing engine into S3 buckets for storage, or maybe computing engines, or maybe relational database instances.
We have gone very far in negating the visibility that security people were keen to have, to the point that, for example, to observe this new fashion of doing things in cloud computing, we deserve specialized eyes, because we need first and foremost to have an inventory of these resources and then we need to understand the relationship that they have one to each other.
We were keen on seeing these set of capabilities within the same iron machine, within the same server. Now they are not only decoupled, but they may exist in a multi cloud environment and they need to have a relationship, and this relationship needs to be secured.
There is a publication that is extremely actual, despite it being published a few years ago and updated two years ago, from the Cloud Security Alliance. The publication is called The Treacherous Twelve. It’s a bit romanced, but it depicts perfectly how misconfiguration and not zero days or targeted attack are the real threat with cloud adoption. People forget, for some reason, to restrict the IP list that could allow access to an S3 bucket, or maybe they leave the default password on databases – which are errors and mistakes that we couldn’t believe they were conceivable in traditional security, but for some reasons they got there in cloud adoption.
Not to mention other type of devices, such as Internet of Things, where you cannot have the same level of monitorability, and the same level of understanding of where are these things running and what are these things doing. What level of communication do they have? Do they communicate back to the vendor somewhere on the planet? What type of information they disclose? These are some security nuances of the challenge that IoT represents.
That’s why, if we want to be adding security to digital environments, we need to have a solid IT and access management system that provides discovery, that allows us to understand what we have in any given moment in time, that provides classification, taxonomy, enrichment of the discoverable data with non-discoverable metadata. Because this is useful not only for security, it is useful also for enabling other processes, namely procurement for example, or namely IT processes, or even business processes.
I was recently listening to a keynote of a CISO of a company doing peanut butter, and this lady was hired to foster cybersecurity within the company. The company delivers a personal salad station. An IT system that allows users to interact with the selection of all the dressing they want for a salad, to get the perfect salad out basically. From an IT perspective and a security perspective this is still an electronic system that has a network cable and that takes user input.
The first question that CISO should ask is: “How exposed is this? Do I know that it is part of my ecosystem? How attackable is this?” And then map these answers to the business, because if we are able as security professionals and practitioners to expose risks in a tangible form to the business, that’s the ultimate linkage that security needs to have to be part of the digital transformation. And it all starts from DevOps and from IT asset management.
I’d be glad to continue this conversation via Twitter and LinkedIn and other social channels, and to invite you all on our web site to deepen not only IT asset management, but all the rest of functional applications that allow you to build security in digital transformation process.