When Amy, chief information security officer of a medical service organization, looked closely at cloud security across the company, she realized that the default access control model was causing various access problems. By default, the infrastructure as a service (IAAs) provider of bewell is set to a secure state that only enterprise owners can access.
On the other hand, software as a service (SaaS) providers are set to be fully open access by default. In the case of multiple clouds, Amy can't manually relax the permissions of IAAs or fully control SaaS. So how to solve this problem? The answer is automation.
Now, instead of the simple question of "how do you provide security and manage risk", the CIO is confronted with "how do you help the enterprise achieve more value while assessing and managing risk, security and even security?" And so on. Using automation is the best way to bring value to your organization.
The impact of automation
Automation is affecting the world in two ways. First, automation realizes security and risk functions; second, automation is a new security frontier technology that needs to be recognized and understood.
As all parts of the business begin to adopt emerging technologies such as cloud, blockchain, digital twin, immersive technology, etc., CIOs like Amy will be overwhelmed by various priorities.
Other businesses may build solutions without consulting security and risk management leaders on security issues. This means that they are making technology-related choices every day and often don't realize the potential risks of what they are doing. Security and risk management leaders have no control over and sometimes do not know about these business choices, which can have serious consequences, especially in the context of growing digital business potential.
The digital transformation has changed the security needs and the required skill sets and capabilities, and it has brought new talent gaps that are difficult to fill (or even impossible to fill).
Automation in the business
Many automation tools are temporary, but some are formal automation tools for critical parts of the process. Some tools use one technology, while some types of automation tools use multiple technologies. For example, robot process automation is most suitable for task-centered environment and predictive analysis that uses predictive modeling, regression analysis, prediction and pattern matching to answer the question "what may happen".
Some companies are ready to use automation to reduce costs, standardize or improve productivity. Some companies are ready to use it to improve the quality and consistency of risk control while reducing human error. Organizations are also ready to use automation to increase speed or flexibility.
Continuous adaptive risk and trust assessment become an important driving force
No matter how automation is used, security and risk management leaders will no longer rely on traditional security policies. Continuous adaptive risk and trust assessment (Carta) is a kind of policy method that admits that there is no perfect protection method, so it needs to adjust the security policy anytime and anywhere.
Security and risk management leaders should consciously adopt an adaptive automation method that can not only minimize the risk of their own enterprise, but also help the enterprise to obtain returns. Security and risk management leaders must balance risk and trust according to the situation, find their own position in the automation blueprint, and realize their own value.
Automation does increase risk. For example, the algorithm may have implicit and explicit deviations from the creator, or the algorithm on the untrusted operating system may be secretly manipulated by the outside world. Therefore, any choice about automation must be careful and consistent with current and future conditions.
Although there are risks, automation can bring huge benefits to the security team and the business if the right choices are made.
Value through automation
Security and risk professionals must use automation to realize value in three areas: identity, data, and new product or service development.
Identity recognition is the foundation of all other security controls
In any case, decisions about identity should remain within the control of the security and risk team. This becomes even more important as more and more businesses migrate to the cloud. As the system and company become more and more complex, it is very difficult and dangerous to rely on only a few passwords for identity verification.
Consider using an intelligent risk engine to automate specific parts of the process. Continuous adaptive risk and trust assessment identification method will be the key to ensure that the risk engine is neither too relaxed nor too strict, and the method is also applicable to users.
Data has become an important part of enterprise value
Business is like "data production factory". If the data can not be protected and monitored, there will be a high cost, and even damage the value of enterprise institutions.
You can examine the access control model for all IAAs and SaaS applications, and consider using the cloud access security agent (CASB) to identify and classify data and files. At the same time, cloud access security agent and enterprise digital rights management are used to extend the control to the whole enterprise, covering all data locations.
New product or service development is the focus of the company
In order to gain competitive advantage, companies are developing new products and services, while using emerging technologies to seize new business opportunities. As companies increasingly need to speed up the entry of products into the market, the development of the operation and maintenance (Devops) process may violate security agreements. Automation can help achieve the ultimate goal of security development operations (devosecops), integrating security into the process from the beginning without any negative impact.
Consider automation options, such as interactive application security testing, a Machine-based solution that lets you observe application behavior from within. After that, your team can put security testing on top of quality testing and avoid using a single security test case.
Among these critical priorities, security and risk management leaders must prioritize the tasks they want to address, tasks that other teams can reasonably accomplish, and tasks that do not guarantee time or energy. The security team must also consider how to integrate automation into the system and how to use automation properly in the continuous adaptive risk and trust assessment security method.
In order to manage and support value protection and value creation, the job of security and risk management leaders is to identify and manage this tension and find their place in the automation blueprint.
How to share this article with friends?
① click the top right corner → click "share to friends circle"
How to receive the latest information from Gartner Inc every day?
① click the top right corner → click "view official account" → click "follow"
② or open wechat → click the "address book" label on the bottom side → click the "+" button on the top right corner of the page → click "search number" → input the wechat "gartnerchina" → click "follow"
③ or long press the following QR code to follow us