Intelligent CIO Africa Issue 11 | Page 72

TECH TALK “The only consistency in cyber hygiene is how inconsistent we are.” deny-by-default. We’re talking about an approach that’s far more nuanced and sophisticated. When we harness least privilege to ensure good, it’s about striking the right balance between security and the need for fast, flexible service delivery. In other words, we’re making security empowering rather than confining. Just like brakes on a car: the purpose is not to slow you down, it’s to allow you to go fast. Three core tenets of ensuring good There are three core tenets behind ensuring good. First, leverage a secure infrastructure to build least privilege environments around applications. Second, empower the ecosystem by exposing the boundaries and context of those environments and enabling the ecosystem to align to those boundaries. And third, make it simple and easy to practice good cyber hygiene. Secure infrastructure A secure infrastructure changes the rules of the game by enabling you to quickly lock down critical applications and data, architect-in security controls, and facilitate a repeatable and focused cyber hygiene process. This is not simply an infrastructure that is built securely, but rather one that enables you to understand the relationship between applications and infrastructure and create least privilege environments around them. Infrastructure centred on ensuring good needs to have native, built-in capabilities that are architected in from the ground up, with tight alignment to what we care about most: applications and data. Today, too many cybersecurity controls are aligned to pieces of hardware buried deep down in the infrastructure – a 72 INTELLIGENTCIO Not because security teams don’t understand what is needed, but because cyber hygiene has become too difficult in a world of constant change. Clearly, we need to make it dramatically simpler and easier to practice the five key pillars of good cyber hygiene: least privilege, micro-segmentation, encryption, multi- factor authentication and patching. When you examine the major security breaches that made headlines over the past few years, every one of them could have been avoided completely, or greatly reduced in impact if the targeted business had followed these basic principles. Pat Gelsinger, CEO, VMware router, switch, or server for example. Why? Because in a hardware-driven world, that’s the only place we can hang them. In a software-driven world, we have a rich and fluid canvas to work on rather than a rigid set of hardware and edge-based solutions. Empower the ecosystem The ecosystem of security controls needs a privileged position in the environment in order to effectively focus on ensuring good. Those controls must have access to rich context about the applications and data they are trying to protect, and ubiquitous coverage for visibility and control. Much of the ecosystem is already expressing enthusiasm about the game-changing notion of ensuring good, as it begins looking for bridging methods to sort through an otherwise untenable stack of hay in search of that elusive problem needle. Cyber hygiene Consistently executed basic cyber hygiene is the single most effective step we can take against breaches and a core tenet of ensuring good. And yet the only consistency in cyber hygiene is how inconsistent we are; we continue to fail in this space. When it comes to security, the question we typically ask is, “How do we secure it?” What we should be asking is, “How can we leverage our IT infrastructure in new ways to transform security?” In an era when the tech industry has failed on cybersecurity, the time has come to flip the security model on its head. Introducing VMware AppDefense VMware’s new security model, VMware AppDefense, leverages the unique properties of virtualisation to protect applications running in virtualised and cloud environments. The new solution creates a least privilege environment by capturing the intended state of applications and then monitoring how applications behave when running against that intended state. By understanding the intended purpose of an application, organisations can now direct their security efforts to monitoring a few key behaviours instead of trying to detect every possible threat – significantly shrinking the security problem and lowering security costs. This new security model radically changes the current failing approach to security. Instead of chasing a constantly expanding and changing threat landscape, it allows organisations to focus their efforts on setting protections around the applications and data that need them most. n www.intelligentcio.com