Emerging technologies are poking holes in security
- 12 September, 2016 20:32
Accelerated change challenges change management, security DevOps and emerging technologies that enable business innovation and opportunities demand fast, frequent change from the enterprise. The speed and regularity as well as the kinds of change challenge change management and ultimately security.
To secure the enterprise in environments of unwieldy change, the business needs to know how each new technology affects change management and the organization’s security defenses.
Organizations can then begin to evolve change management and security to close those gaps and avoid impacts on security.
Emerging technologies such as DevOps, IoT, automation/intelligent software, information technology service partnering, cloud computing and BYOD all straighten out the curves in the race to make changes that propel the enterprise forward.
[ MORE ON CHANGE MANAGEMENT: Ensure business continuity with change management ]
DevOps merges software development and operations in order to speed deployment of software that immediately works in production. While this is great for usability, change management and security take a hit from adopting DevOps. An example from the payment cards industry shows how much the management aspect of change management can disappear in a DevOps shop.
“One of my clients,” says David King, principal, UHY LLP, “literally sends out two to three releases per day, authorizing those in person with the lead programmer holding up their hand and saying 'authorized' and 'deploy' to a decent sized team of developers all sitting in one room. You can imagine that being able to document those approvals is really just a nightmare, let alone trying to manage the information security protocols that go behind that.”
The IoT market is driving swift change by demanding that the industry ramp up the number of internet connected devices very quickly. “As companies move to design new systems and get them to market, they often don’t pay adequate attention to change management requirements,” says Barry Mathews, managing director at Alsbridge.
In the automation or intelligent software space, robotic process automation tools, autonomics tools, and cognitive computing solutions create change inside organizations. Automation impacts change management by forcing the enterprise to figure out what the change will be and how it will affect people, processes and technology, says Mark Davison, director at Alsbridge.
Information technology service partnering, cloud computing, and BYOD all demand fast and frequent change in the enterprise. According to Joanie Walker, principal consultant at TayganPoint Consulting Group, while information technology service partnering adds federated change management requirements, cloud computing adds change management complexities in ITSM and architectural change, and BYOD requires change to address endpoint management strategies for employee and business partner devices.
According to Walker, information technology service partnering challenges change management by requiring the enterprise to ensure that all information technology support staff work under a common change process. Cloud computing, says Walker, challenges change management by demanding that the organization manage all the infrastructure and applications that exist under different architectural models under a common ITSM change process in a coordinated fashion.
BYOD challenges change management by requiring a service wrapper for a portfolio of consumer devices that is always changing as new employees and partners and their employees come on board or leave or when anyone adds, changes or upgrades their device.
How hits to change management affect security
Even in the young field of DevOps, costly errors in change management make big headlines. According to King, the risk of rapid development cycles and immature change management practices lead to Knight Capital’s swift, gigantic financial losses. “Knight Capital was a high-frequency trading hedge fund that had about 80 percent of its portfolio wiped out in a matter of minutes due to a software glitch. They lost about $440 million in about 30 minutes,” says King.
The pressing need to get IoT devices and related technological changes ready for market stands in sharp contrast to security, which is about developing and testing a good design, defining robust requirements, and then testing again and again before release, according to Mathews. The result of rushing through change management and security measures here is that each new IoT device represents an even riskier node on the internet that is even more susceptible to attack, Mathews explains.
Automation affects change management and security because there may not be an understanding of how to support the new information security requirements of automation as change occurs. This can make the enterprise susceptible to intrusion and unable to adequately respond when disaster recovery plans must execute, Davison says.
As for information technology service partnering, when partner employees don’t follow the enterprise change management process, information security risks rise, says Walker. In cloud computing environments, simply adding errors in the process of coordinating change among different cloud environments to the already precarious task of implementing federated security across these clouds can add significant risk. And when BYOD change management processes operate in a vacuum and not as part of a comprehensive enterprise change process, this can draw information security down.
For DevOps, enterprises can make compromises between the development and change management / security teams by using a sandbox for development. “Development can do anything they want in this virtualized sandbox. Security keeps the sandbox segmented from production. Once a software change passes thorough rapid testing and QA and security scans, they can push it into production,” says King.
Developers must use trusted tools from trusted sources inside those sandboxes so that attacks don’t enter through holes created by cloned tools that hackers have purposely packed with vulnerabilities and malware.
For IoT, the enterprise needs to restructure information technology to monitor, track and support new apps and devices through investment in security governance, protocols, standards and procedures, says Mathews.
Automation affects many things. By applying best practices in change management to transition, communications, education and operational and organizational alignment, the enterprise can maintain effective change management and security, according to Davison.
“For information technology service partnering, staff must operate under a single change process regardless of what organization they work for in order to address the risks to change management and security,” says Walker. For the cloud, the enterprise should use one ITSM change process for both the infrastructure and applications hosted by the enterprise and those hosted by the cloud computing provider, according to Walker.
As for BYOD, the business can mitigate risks to change management and security by ensuring that the devices, security policies and security protections are all part of one overall enterprise change process, Walker concludes.
The only thing consistent is change
If you find an opportunity where a little change leads to a lot of profit, take it. Otherwise, expect that as we make new discoveries and develop new technologies in greater numbers at a pace we can hardly keep up with, head spinning change will increasingly become a constant in building new business. This will come with challenges to change management and security.