Deterministic Application and Data Security
Author: Keshav Kamble
Application security is relatively new technology compared to traditional network security. The gravity and importance of application security has increased multi-fold with the rise of public, private and hybrid cloud environments ,where the underlying infrastructure such as compute, network and storage may or may not belong to application owners. Large number of legacy applications is being ported to cloud environments. Then there are cloud native applications which are completely developed, tested and productized on cloud environments. In other words, your application requires special consideration for security. How big is the problem? The answer has two variants. Financially, it will be about $7 billion dollars by year the 2021. Not alarmed? Technologically, it will kill the Digital Transformation and Industry 4.0 which is worth $380 billion dollars by year the 2021. Digital transformation and industry 4.0 market sizes by Gartner. Now, that we are on the same page lets discuss Deterministic Application and Data Security.
Problems with the Application Security today
Application security is one of the highly ill-defined or inadequately defined technology today. It has been completely left to the perceptions and interpretations of the individuals. Application Security as of today has been mainly attributed to security check points in Software Development Life Cycle (SDLC). Vulnerabilities scanning starting with the source code by various methods had been the only point of view. This includes static and dynamic analysis of source code and application behavior. OWASP or Open Web Application Security Project has been doing phenomenal job of keeping track of Web Application vulnerabilities and creating test cases to catch those vulnerabilities.
While static and dynamic source code analysis provides you some relief but securing applications in run time in the production environments is lot bigger and complex problem. Enterprises and Industry Analysts have started talking about Deterministic Application and Data Security.
A link to Mr. Sean Pike’s presentation at RSA 2017 is here – http://www.eweek.com/security/determinism-is-the-key-to-security-idc-tells-rsa-conference.
The term seems highly alien to security technologies in existence but has far deeper meaning and purpose. I completely agree to the interpretation of Mr. Sean Pike, Program Vice President of Security Products at IDC. According to him, deterministic security has to do with the integrity of the IT assets. It is the capability of the IT assets to secure themselves and securely exchange data across the networks. Future of the IT industry; be it on premise or on the cloud, would depend upon the underlying integrity.
From the technology perspective, Deterministic Application Security offers the critical piece missing for a very long time now. It brings in the notion of changing and strengthening the security constructs and moving them from their traditional places to where they make most sense. Let’s derive inspiration from Einstein’s definition of insanity – “Doing the same thing over and over again and expecting different results”. The deterministic security approach encourages security architects, security professionals and visionaries to think different. The rules of the games are changing very fast. The critical workloads that enterprises rely upon have to be scalable, secure, completely automated for deployment, and should be able to run on cloud environments. That is the immediate future of your typical workloads. The security component alone can make or break the future. Therefore, the security has to be looked at in terms of deterministic provisioning to make the real digital transformation and the Industry 4.0 to be able to see the light of the day.
Now a little bit of technology. There are multiple ways to implement deterministic security. The simplest to start with is to take your security functions and move them from network to somewhere closer to the application. Moving security functions and attaching them seamlessly to applications has already been achieved by Avocado Systems and others. The differentiation lies in the determinism of the security functions themselves. The best security functions provide deterministic capabilities to intercept threats at the same time, exchange data in the most spoof proof manner. The request to connect and the subsequent data exchange including the data itself has to be based on zero trust models with built-in capabilities to identify nefarious elements. The integrity functions can help the data sources and destinations to identify right data against wrong data. Such capabilities truly bring in the deterministic nature to the application workloads.
Strength and scalability of the security functions is going to be researched for the future of the cloud based applications.
How do we secure applications of the future? The imperative is upon us!
If you want to discuss further on this, I am at firstname.lastname@example.org.