A highlight from Application Security in the Cloud
Our guest today is miller at business information officer at as a global so this sounds like a fun tight lisa. Would you care to give us a brief outline. Bisa really needs yes. I get that question a lot. What is a b. So i not see so is but what is this thing or is it a b. instead of a c and really the easiest way to explain it is that it's like a c so but i'm specifically focused on one division of our organization and instead of dealing divisional see so that reports into a centralized cease organization in info security. I actually report into the division into the divisions cto so my goal ultimately in the focus of my role is to bridge that gap between the business and centralized security team helping the business understand how they can apply these requirements and practices from the security team but also the other way around to pushing back on the security team and giving them more business contacts so as they're trying to develop new policies and standards and other things they can do it in a way that makes sense for what we're doing with our engineering teams and across the business lines Okay that actually does make sense. And i wish more lodge global federated companies would have that because it sounds sometimes. The team was kind of confused about this whole central decentralized centralized requirement so i think that makes sense so we wanted to hit on the topic of application security in the cloud because i do see a fair bit of confusion in the industry about like Whose responsibilities those how to fix problems. So in your opinion melissa. How application security practices changed as organizations launch their cloud transformation clogged migration efforts. What changes. And how also you touched. I want already right. The responsibility really begins to shift security people. We've been talking about push left for years probably better than two decades. I think trying to get devs to take on more responsibility for security and get them to understand and from a secure coding practice when we start moving into these cloud native technologies and we start expanding into things like infrastructure as code or we get into containers and even now you'll functions as a serve as an all. These things are defined in code so suddenly our developers have a lot more responsibility across more than just the software that they write. And you've got now. Our infrastructure teams have really shifted right. launching 'sorry teams now kind of seem to manage the bulk of the infrastructure if you will in our cloud environments but that infrastructure again could be lambda it could be cooper netease docker it could be. Ec two instances running whatever flavor of whatever operating system so from an application security perspective. First of all that means that that responsibility has to lay across all of those teams so when we think like cops for instance which is so often a part of people's cloud transformation that speaks right to that like we need our teams to understand information security. They need to understand obscurity they not on infrastructure security. We need the dabs to be. A part of an alien needs security to become a better part of the development process. Security can't be this gate anymore that slows us down in instead. It's gotta be something that's well integrated so with all these challenges of new technologies and faster development and faster deploys in different ways we build up. That's the biggest change is everybody has to be a part of it. And that's where a lot of those transformations really struggle is. How do we bridge application security across all of these disciplines. So let's let's imagine the case where we fail to do that. And we just do a big old lift and shift of. Somebody's big fat complex application. Somebody else's i ask. What are the bad things that happen there. How's that go wrong well. Inevitably you send up with configuration issues. No matter how much we think cloud is going to secure us. In honestly i tend to see more with the organizations that do just do like a straight lift in Forklift bare metal servers into ec. Two or something there. That's where we see most that attitude of. Oh it's in the cloud in the cloud providers to secure so google or aws azure. Whoever they're going to make sure that i'm safe and secure and so he missed a lot like the really simple configuration. Things that create a lot of vulnerabilities and then from the application side. You're in a whole new environment. Where networking is a little different right. You launch your virtual private cloud and the communication isn't the same as what we're used to normal environments and so creates new vulnerabilities are new attack. Factors that if we're not aware of it. We're not testing for application security processes. We tend to miss those things. And so what you see is real explosion and then you get a lot of finger pointing right when there's vulnerability is everywhere.