Why the future of data security in the cloud is programmable
It’s the way software used to be purchased, and often still is. A CEO, or GM, or line-of-business owner calls into IT, and the security and compliance teams, to let them know that they are purchasing a new piece of software to drive innovation in how they deliver their products or services. Because the software needs to be customised, integrated and controlled in the company’s on-prem or cloud environment, the IT team needs to deploy it and the security team needs to secure it.
The problem is that IT, security, and compliance are already behind. As the “Defenders” of the business, they must now apply multiple other third-party products to that application in order to to gain fine-grained control over who accesses it and what data they can access. While a growing body of regulations state that security and privacy must be implemented “by design,” they didn’t design the application that the “Builders” delivered. At this point, everything they do is fundamentally an afterthought.
The conundrum of the defender
The job of the Defender is a difficult one, because security and privacy as an afterthought creates both complexity and vulnerability. The complexity comes especially from security products needing to be customised in order to function in lockstep with the application whose data they are protecting. The larger and more complex the application to protect, the more you have to invest to configure and maintain the products that secure it.
Vulnerabilities arise because between the application and the security products meant to protect it, there are seams—gaps in communication, coordination, and capability that occur naturally when two systems that are constantly evolving occupy two different infrastructure spaces. It is those seams that endlessly produce new exposure every day.