Security teams everywhere are buried under an avalanche of tools, many of which perform a single function: firewalls, FIM, identity management, AV, SVA, encryption, etc. In fact, many security leaders I speak with are suffering from a malady known as “tool fatigue” that is sapping precious time and resources from their efforts to keep data and infrastructure protected.
This is not a surprise. In fact, it was quite predictable since we’ve seen this movie before. In the early 1990’s there were lots of point solutions on the market for manufacturing floor automation, supply chain automation, inventory control and more. Enterprises bought of ton of this stuff but were then forced to spend time and money integrating them together. Whenever a tool’s API changed, it invariably broke all the integrations. Instead of developing net new applications, many IT organizations became experts at integration just to keep the business running.
Then along came SAP, who coined the term Enterprise Resource Planning (ERP). They pitched an approach that pre-integrated a number of these functions together into a single platform. No worries about integration; everything guaranteed to work and play nice together. Customers could choose: buy best-of-breed tools, but get into the integration business, or take a more strategic platform approach and focus on what you do best as a business. The market chose a platform approach. The rest is history.
We’ve actually seen this movie a number of times. The exact same scenario played itself out in the CRM space in the late 1990s. In fact, in any emerging technology market, the pattern repeats itself over and over again. As companies look to solve specific business and technical challenges, best-of-breed tools emerge. It’s only natural. The number and scope of these tools then grows exponentially as the market evolves. Everyone buys a ton of tools, but then wants them all to work better together. Eventually, someone architects and delivers a platform that does the integration work for you.
Spoiler alert: this movie is now playing out in the security space. Tool fatigue is rampant. Most security teams deal with 30-40 tools from different vendors. This saps time and energy as the team tries to figure out how to weave all these tools into a single protective security fabric: multiple contracts to manage, each with different pricing models and terms, integrations to build and maintain, conflicting technical models. It can become quite a mess. The fact is, this is a natural progression of an emerging space.
So what’s the solution? Take a step back and think strategically. Let’s learn the history lesson. Security leaders today should be thinking about ways to get out of the tools and integration business, and instead strategically architect their teams and processes around platforms. Taking a platform approach can free up precious resources that can now focus on what matters most to the business: agility, speed, efficiency and lowered risk.
Here’s what to look for in a modern security platform:
- On-Demand. Unlike the previously noted examples from the 1990’s, modern platforms are delivered in an on-demand model. This makes it much easier to install, configure and deploy security functions and controls. Taking advantage of new capabilities, fixes and upgrades is greatly simplified since they just appear in the service. Pricing models for on-demand software are in many cases easier to handle since you pay for only what you consume. Although moving budget from capital expenditures to operational expenditures can be a challenge for some, it’s worth the effort since the benefits of on-demand software delivery model far outweigh the short-term headache of rethinking how you pay for software.
- Automated. The rate of change of modern infrastructure is accelerating and is being driven by the consumerization of IT services at all levels. In order to keep up, security organizations need to invest in platforms that allow them to deploy and manage any security controls without human intervention. Full lifecycle automation is most desirable, in which policies are set once and tied to some context, after which underlying controls are 100% automated at each stage of the control’s lifecycle—from deployment to de-provisioning. This includes the automated collection of audit and operational data, especially in environments where infrastructure components are short-lived. Well-implemented automation will enable security organizations to keep up with the scale and rate of change associated with emerging infrastructure models
- Orchestrated. Security orchestration platforms centrally manage the composition, deployment, and management of individual control components into more complex, service-oriented security systems. By composing many individual controls into a larger system, security orchestration is considered to be a higher order function than simple control automation. In many implementations, orchestration also addresses licensing, metering, chargeback, and other security resource consumption issues—important in service-oriented cloud computing and software-defined infra-structure environments. This allows security teams to rapidly create and maintain numerous security environments that are aligned with higher-level business needs while keeping pace with automated deployment, migration, and reconfiguration needs of the underlying application environment. Security orchestration also reduces the time, effort, and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments.
- Scalable. Scaling application and infrastructure environments automatically, on-demand, and in near real-time is one of the essential capabilities that makes modern infrastructure so valuable. In response, security and compliance control capacity must scale up or down dynamically without human intervention. This means that controls must be deployed directly into the application scaling mechanism (e.g., building controls directly into master images) or must have the ability to scale based on application scaling triggers (e.g., deploying more virtual servers). This ensures that security controls will scale automatically based on business needs and if the pricing model is aligned, paying for only what you consume in the way of security capabilities.
- Extensible. No platform will do everything. So make sure it is fully accessible via open (e.g. REST-based) application programming interfaces (APIs). This eases the burden of integration and enables the idea that security technology will be able to operate in harmony with orchestrated application and infrastructure delivery. Besides making automation and orchestration possible, API enablement of security and compliance also offers a measure of future proofing by providing flexibility as new demands emerge.
Platforms are the future of security technology. Taking a platform approach to technology decisions will enable security organizations to think (and act) strategically, saving time, money and resources while at the same time improving overall security postures.