McAfee is one of the biggest household names in cyber protection. This means that Nigel Hawthorne director, EMEA cloud security business, really knows his stuff when it comes to anything DevOps and cybersecurity-related. To prove this point, the director flexed his knowledge with us, discussing anything from DevSecOps to whether we should genuinely be worried about the threat of a global cyber-attack.

How do you manage your scale DevOps practices with such a huge firm?

Like many organisations, we’re now releasing code at an ever-faster rate. And when you do that, you need to make sure that security cannot get in the way of release times. But at the same time, you don’t want to have to roll back or hotfix software. So, we’re following the practices that we recommend to people of shifting left, bringing security into our development earlier and ensuring you were using the power of the cloud, and containers. This way, the development team actually feel more empowered that they can release their own code. And they don’t have the problem of finishing some code and then having to pass it to a separate security team to approve it, because in almost every company I’ve worked in, there’s been that friction between development and QA, where, the developers think QA takes too long and in development, the code too late. And really the aim is to make one team in sec ops that will be able to code and releases together.

With cloud being kind of one of the biggest trends right now, do you think it’s good that so many people are using it, or is it just more competition?

Cloud is where computing is because of its flexibility and scalability. There’s absolutely no doubt that the days of on-premise only are over. As an example, two days ago I saw a well-known UK Government Department who you may consider typically to be a relatively late adopter of new technologies, and they were talking to us about their cloud adoption and how they can accelerate it. Because they do recognise the huge benefits that it gives them. But like any new technology, it brings in questions on governance, management, and how to ensure that you move from previous systems to new systems without losing security as you go.

What are your general thoughts on shift left and containers right now, and what does this mean for DevOps?

Containers are just yet another area where virtualisation from the days when one piece of hardware would run one application and sit there and perhaps not be fully utilised. I remember in offices having a PC that was basically just a print server. You are now in a situation where to get greater flexibility, you have lots of virtual machines and containers. It’s just the next step of virtualising as many things as possible to make sure that you are being as efficient as you can be. So, you’ve got a small container that may last only a few minutes that is performing one function, it’s created to perform that function then it closes down. The great thing about performance and scalability has to be compared to the problems of security. How do you secure something that might not last very long? If you go back to the days of physical security for someone to get your data they’d have to somehow get into the building, get the device they needed, put it under the overcoat and walk out. You then need a company who’s watching what’s going on, you need CCTV, you need controls on doors, etc. Today you think, “how do you put that in a container that doesn’t last very long?” And therefore, you need things like cloud security posture management. You need vulnerability assessment of each container and to work in a zero-trust manner. So, even though you may have multiple containers with infrastructure as a service, it doesn’t mean that you trust every single container because one of them may well have been inserted there by an attacker. So, you’ve got to be constantly vigilant, to see whether or not all the containers that you’ve got are doing the job that they should be. And it’s not easy. And it can’t be done slowly, it has to be done in real time, as the containers are created and executed.

How do you feel about DevSecOps?

For me what it means is pulling together groups that were often working independently. And I think that’s a good thing. You don’t want the security people and the development team to be at loggerheads because they have different requirements. One is all about speed of delivery, the dev team wants to release code, they’ve perhaps got internal deadlines to hit. And then they find that the security team or the QA team, slow that down because they need to do their work. I think actually is a great innovation from a philosophical point of view, which says we’re all one team. We’re working together. How can the QA and security people give some of their tools to the developers so that actually, they can release code themselves?

Microsoft has recently announced that they’ll be stopping support for Windows seven. What’s your opinion on this?

Well, if you can, for sure, it’s time to look at your windows seven and upgrade those systems to Windows 10 or something else that ensures you’ve got the latest updates. And then those devices need to be used in internal-only processes. So, never be connected to anything that can go out to the internet. And if that means that there’s not much for them to do, well, I’m sorry about that, but it really is time to move on. It’s been running for over 10 years. It is time to move those systems on now.

What about the thought that a lot of NHS trusts are still running on Windows 7, should the government be investing in more advanced systems?

We shouldn’t necessarily say all windows seven devices should immediately be removed completely. In a recent hospital visit, I noticed a computer left around. So, there are always problems, like, what if somebody comes with a USB stick? But I think you’ve got to look at the likelihood of a problem in more general office applications. So, in terms of old systems, I’m sorry, you’ve got to get rid of them.

What do you think people can be doing to make sure that they’re not missing out on security?

I know it’s a very cliché message but you can’t control what you can’t see. So, firstly, you definitely need visibility. Think about what software as a service are your office-based employees using? But also, what infrastructure as a service your DevOps teams are implementing? You’ve got to be able to look at the systems that use the containers, the different bits of code that you’ve got. Ensure that you’ve got the policies there that look at the possible problems. Perhaps to answer an alternative question, why are the problems different? Well, because you can have multiple pieces of code in cloud for the cooling each other, and you’ve got to not only look at those individual pieces of code but the interaction between them and ensure that you are, therefore, providing Application Security, data security, privacy compliance data loss events. At the same time running this code on the platform that isn’t under complete control of the organisation so it’s provided by someone else.

When the year 2000 rolled around, everyone was so scared of the millennium bug. We’ve forgotten about all this kind of stuff now. But instead, with the development of tech over time and considering recent political issues, should we be worried about a huge cyber-attack that could affect us in a big way?

You know, maybe that’s more likely if there’s some massive sunspot of activity. I think the problem is we need to be constantly vigilant and we need to recognise just how much our daily life relies upon technology. Look at the problems [that companies that have faced cyber hacks] are currently suffering from, what will be the long-term impact on them? At this point we don’t know. But we have to plan for the worst. Even though we expect it won’t happen. I don’t want to be wandering around with a sandwich board saying doom and the end of the world is nigh, but unfortunately, I think there’s a famous phrase, “hope it’s not a strategy.”

I’ll go back to Y2K, a lot of companies spent a lot of time, effort and money updating code, checking code, training people. Even I did a lot of presentations. And so, when you read articles that said, “Well, the world didn’t end, there wasn’t a problem”. That’s because we did a lot of work to make sure that those things that could be, were updated and worked. A lot of companies actually obsoleted products in 1999, saying we can’t guarantee that this will work after the year 2000. I think that we have to focus on industry and individuals being constantly vigilant. There are tools there to help you. Companies like mine, try to help you as much as we can. But we need to first recognise that there’s an issue to address.

So, if for example, say the power grids were hacked, would your advice on preventing this be to plan for the future?

Well, actually, when you talk about power and other things that are critical national infrastructure, the good news is that governments and regulators are taking this incredibly seriously, and are doing everything they can to look at all of the embedded code within the critical national infrastructure.  If we are talking to organisations in that area, then they have even more stringent regulations upon them than traditional commercial businesses and that’s a really good thing. We’ve seen various what looked like state sponsored attacks on some country’s infrastructure. And, of course, each time that happens, it’s a major concern but each time it happens, everyone else in the world learns from those attacks. There’s a whole wealth of people whose job it is to keep us safe.

In your field, what do you think the future will hold?

I’m optimistic, I do think that there will be a much broader understanding outside IT. In fact, if there’s one thing that I’d say people can do whether they work in DevOps or anything else, it’s talking to non-IT people and talk to people in HR and people in risk. Talk to your legal team try to get them to understand that the things that you do all important and that the stories behind security technology, because every time that someone talks about security to a non-IT person, there’s a rolling of eyes and snapping of pencils and people say they’re really busy. But if you can turn it into a story if you can turn it into a, “Hey, look, I’ve heard about this or, here’s what happens if you don’t do this, then you can start to engage non-IT folk.” And I think by the end of the year, we’ll have a much greater understanding and all those other departments find out any other line of business, individual users that it’s their responsibilities well they can’t believe it.

The post “We need to be constantly vigilant” – McAfee’s director of cloud talks security in a modern age appeared first on DevOps Online North America.

In the light of the European Cloud Survey results, carried out by McAfee, in which it was predicted that just two-fifths of UK businesses will be cloud-only by 2021, representatives from the computer security firm discussed not only the vitality of cloud security but also why they believe the predictions to be what they are.

Nigel Hawthorne director, EMEA cloud security business, McAfee’s first point was that people tend not to realise how complex cloud really is. He discusses how people are starting to realise the importance of cloud, but struggle on an internal DevOps surface level to set the correct infrastructure for it. A further argument that the EMEA makes about cloud security it that isn’t just about hackers.

“I could say that if your view of security is all about the bad guys, keeping away the hackers, then that is one element of security absolutely, but you could argue that, at its core, what you want to achieve with all of those problems is actually relatively simple. You want to take a lot of stuff away. The difficulty with Cloud is, it’s a bit more complex than that,” says Hawthorne.

“The world is not black and white”

After proving his points by regaling the crowd with stories from firms that may have good cloud security in place but don’t have ways for users to protect themselves fully. For example, there are many companies that share numerous amounts of accessible data on the cloud that means when an employee potentially leaves the firm, they may still have access to the information. Or if that person is not using a work computer, that unencrypted data then becomes available on a potentially unprotected device.

“I’m just trying to point out that the world is not black and white. If you go back to the web filtering world, certain websites are not appropriate for your employees to go to either. Because they’ve got malware or inappropriate content. But actually, in the cloud, we don’t usually have that information. That might be something that we want to track.”

“[We look at] data user service business legal cyber threats, and we colour code. We allow people to make their decisions. So, for instance, they might log into the public cloud, we find that passwords are out there to someone who knows what might be happening. They may be connected to the public Wi-Fi, which is picking up all of the data. So, I want to make a corporate decision that says, I only want to use services that encrypt data in transit. Or it might be a legal question was about to be stored etc.”

Survey results

On further reflection of the results, it was noted that along with the low expected rate of businesses moving to the cloud, just 5% of businesses have already become fully cloud orientated.

The aim of the report was to explore and understand the future of cloud for large organisations and if they intend to become cloud-first or cloud-only and when they intend to achieve certain milestones by.

1310 senior IT staff and 755 employees in business with over 250 employees were questioned in the survey that was carried out across the UK, France and Germany.

Despite the majority of large businesses (86% in the UK, 90% in France and 92% in Germany) believing that their organisations are cloud-first, 93% of firms across all three counties hope to increase their reliance on the cloud and move more sensitive data to the cloud in the coming years.

The main reason for companies wanting to make the move to cloud or becoming cloud reliant, with 88% of respondents making this point, is due to an increased productivity amongst end-users. 84% said that it has improved their company’s data security.

Other research factors to moving to the cloud highlighted increased employee skills, making jobs more fulfilling and increased innovation.

Cloud security concerns

In terms of the concerns around cloud security, 45% of respondents in the UK said that they store sensitive data on the cloud and security issues are holding people back from putting on more data. Because of this 22% of senior leaders across all three countries feel that their businesses will never be fully cloud -only due to security concerns. 55% state “security fears feel this is down to “security fears” with a further 40% saying it to be because of “ data access concerns”.

When it comes to security, the poll revealed that there is widespread uncertainty as to who is ultimately responsible for the security of data. 14% said the CEO is responsible, with 19% saying the CIO is and 5% believing it to be the responsibility of the CISO. 34% feel the IT manager is responsible.

Raj Samani, chief scientist and McAfee fellow, suggests: “We’ve got to recognise that what individuals see as a security concern. The issue actually fundamentally is their inability to be able to understand what needs to be done and how things should be done…We’re given this great technology, but individuals not necessarily understanding the tools that are required to secure that infrastructure….”

He adds: “I want to be clear we actually didn’t break the law, but we actually said well, wouldn’t it be great because that actually we can, first of all, identify the open buckets online, and then using those open buckets actually develop PowerShell code that would allow us to be able to encrypt everybody that’s downloading this commercial. So, in other words, we created a malicious piece of code on an open s3 bucket, sent an email to every single person in that organisation to say please go to our cloud service. And actually, what we found was it’s a really easy way to be able to disseminate malware, or it can in this instance with ransomware”

Samani reiterates the complexities behind cloud migration. He comments: “Obviously, that suggests that there is still an appetite [for cloud] but there’s a discrepancy between desire and actually [making it happen] Because the reality is moving to the cloud isn’t easy. In certain scenarios, it might be straightforward for certain things like migrating something down to the SAS but the reality is that it requires a significant amount of governance and due diligence required on behalf of the organisation.”

Is it the fault of the customer?

“The reality is in cloud computing, we see organisations of people migrate outsources over to cloud services with the belief that absolutely absolves them of any risk or any concerns,” Continues Samani.

However, in an IT world, people are very aware of the security protection that is needed in the cloud. When asked at a private conference what needs to be done outside of an IT world to make sure people are protected, the experts suggested that not only do we need to take on more responsibility in general but in a growing technologically focused world, we need to have more focus on IT security in general.

“There are many things that we can do. Actually, we should share responsibility more, because I think, as a vendor, we have responsibilities to start to create or to develop new axes that make it simpler and more intuitive to be able to secure systems right. I think there is a responsibility for us, as vendors, to create guides around how you set up the infrastructure and how you protect yourself against these environments.”

“But then, it’s a responsibility for organisations and consumers themselves to start to take those configuration guides and influence. For example, if you’re a parent and you’re giving your kids a mobile phone at Christmas. You can do parental controls, and that’s the same concept and so every single person has that level responsibility…ultimately you own the risk…I think that’s the time right to take reasonable measures to implemented appropriate organisational and technical controls and so did you do everything within reason to be able to implement that”

Adding to this, the fellow says we need to be teaching children about protection from a young age “Educate people with realistic stories of getting it wrong to ensure that they realise that everyone needs to be involved. And we need to help bring in other developers from governance, risk and compliance to everyone else.”

The impact of biometrics

When asked biometrics will play a role in security, Hawthorn responded:

“We have now this toolkit, which is a technology that allows you to be able to integrate multi-factor authentication within a wider environment. I think two-factor authentication will be used. Then, of course, you’re going to see the adversary kind of respond and actually. not everything should require two-factor and is going to be based upon the context of the asset that you’re trying to protect.”

He added: “But then, of course, you’re going see the adversary response, and you’re going to see the use of the technology to be able to bypass facial biometrics. And then you’re going to see the industry respond by creating defect detection capabilities to be able to bypass the adversarial machine learning models that they’ve implemented to be able to bypass the two- factor, and they because then they’ll have to respond and will have to respond so like this is that game of cat and mouse we’re going to have to play.”

The post McAfee reveals survey results and breaks down complexities behind cloud security migration appeared first on DevOps Online North America.

The report results say that cybersecurity companies will expand by over 15% in the next 12 months, with two in five government and companies broadening, leading a shortfall of 350,000 cyber workers by 2022.

The report also states that organisations are struggling to retain their staff with 21% of the workforce having left their jobs in the past year, so 39% UK cyber workers have commanded annual salaries of £87,000.

‘Structural concerns hamper development’

“There are real structural concerns hampering the development of the job market today that must be addressed. It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society,” said Adrian Davis, Managing Director at ISC².

“The impact of this rising price for cyber expertise is that smaller and public sector organisations may find themselves priced out of employing top talent,” added Chief Scientist at McAfee, Raj Samani.

ISC² noted that new, younger and more diverse talent would need to be bought into the workforce, although a fifth of the current workforce in Europe don’t have computing backgrounds.

Written from source by Leah Alger

Source: The Register

The post Cyber expertise is much in demand appeared first on DevOps Online North America.