We’ve been writing this series using the common metaphor of a “Journey”. This is certainly not a groundbreaking metaphor in the IT space. It seems enterprises are always on a journey somewhere. Since we have been talking about the Journey of Digital Transformation, it occurred to me that we never really defined it. There are literally hundreds of definitions out there. I think Clint Boulton of CIO magazine captured a solid definition of Digital Transformation in a recent article from 2021.
“Digital transformation marks a rethinking of how an organization uses technology, people, and processes in pursuit of new business models and new revenue streams, driven by changes in customer expectations around products and services.”
What is interesting to me about this view is that it removes one key aspect of the journey… the end. Digital transformation for organizations is not a trip that has an end. Customer expectations will always evolve. New ways of interacting with your base, competitors, and the market at large, will continue to emerge. The strategies of most enterprises are not focused on technology for technology's sake. Enterprises are driven strategically by the need to grow market share, drive cost efficiencies, attract talent, increase revenues, dominate the competition, and expand into new markets. The only way many Enterprises can do this is to re-think their teams, organizations, tooling, and processes to embrace digital transformation as a model.
As has been discussed, the consumption of the public cloud is one of the major tactics employed by organizations to realize their strategic vision of digital transformation. However, there is often a singular focus on what a new capability or service can deliver for a project. These services are not always understood through the lens of service configurations and their relationship to increased risk to the enterprise. New services need to be tracked against relevant compliance frameworks. Security operations centers need correlated and contextually prioritized signals for incidence investigation and response.
The fact is that there are several centers of gravity within the enterprise (e.g. Operations, Platform Engineering, Compliance, etc.) that all have equally critical roles and responsibilities to the Enterprise’s strategic initiatives. The industry needs to move beyond point solutions to platform approaches. Investment in platforms as opposed to tools that address these different groups not only will reduce investment costs but will also provide opportunities for new synergies between these groups.
Tangible Benefit: Continuous Compliance
For example, take a simple update to a compliance framework for an enterprise leveraging multiple Cloud Service Providers. This one change will require investigations across different clouds, accounts, and projects to even determine if it is applicable. Second, given that the implementation of services across clouds leverages different architectures and configurations, each CSP offering will have different instructions to achieve compliance. These changes would then need to be somehow communicated to platform engineering and automation teams. Manifests would need to be updated, deployments updated, etc.
A platform that would update compliance frameworks automatically upon release or allow custom policies to be added on demand for all clouds would be the first step. This would allow a platform to immediately evaluate the entire cloud estate for relevance and any surface and signals indicating a need to make a change. Remediation guidance should be a part of the updated policy and provided by the platform to cloud operations. The platform should insert and evaluate these new policies for both run-time (already deployed) and any new manifests, version control commits and pipeline builds providing the details automatically to those platform engineering teams. Essentially, the true platform approach provides the following:
- Allows the compliance team to decide the control and its relevance
- The operations team (or the platform vendor) to specify specific configuration and remediation guidance settings specific to each Cloud Service Provider (CSP)
- The SOC/NOC to get immediate feedback on the current deployments in light of the updated control(s)
- The platform automation team simply continues their work with the new policy automatically inserted into the process at the IDE, Version Control, and Pipeline inflection points
- Streamlined approach and implementation of continuous compliance.
Driving the Platform Approach: Integrating Posture with Dynamic Policy Enforcement
Gathering information on service misconfigurations, compliance violations, exposed assets with critical vulnerabilities, and even over-entitled permission sets is fundamental to secure digital transformation. It is, however, only one part of the problem. Digital transformation requires the security platform to potentially take action based on those signals.
For example, understanding the scope of exposed S3 buckets with no versioning or MFA delete is critical to understanding a threat vector for ransomware. Other dimensions should also be explored. How do we integrate a Data Loss Prevention Engine to surface which of those buckets have PII data or sensitive financial information? Can the platform take flow logs and run them through an attestation service to determine whether source and destination traffic coming in and out of the VPCs originates from “sketchy” locations. Furthermore, can the platform (if it is determined that is the case) dynamically block or quarantine assets through the existing security policy enforcement points (PEP)?
Posture Control and Cloud Native Protection Platforms (CNAPP) have traditionally focused on identifying the threat vectors. I submit that to secure digital transformation efforts, richer integration with these PEP engines will help to address security in the public cloud space. The more organic and seamless those integrations are, the more organizations can reduce tooling, simplify workflows and focus on their policy and not the operation of these disparate systems.
At the end of all this, there is no one magic bullet for secure digital transformation. Security is and always has been a journey. It is a constant back and forth between adversaries and the protections. As more enterprises leverage the public cloud to fuel their ultimate goals of digital transformation, the need to richly integrate cybersecurity into the adoption of these new amazing capabilities is paramount to ultimate success.
That success is not going to be measured by the number of security controls, or corner case features that exist in any CNAPP platform. It is going to be measured by the ability of organizations to achieve their goals in whatever terms they define them; delivering new customer experiences, driving costs out of the business, and entering new markets. Here at Zscaler, our goal is to help our customers realize those terms in the most secure way possible.