As a parent, I have pretty simple rules for my kids: Clean your rooms. Pick up your stuff. Don’t speed in the car. But as I’m writing this blog, I know that at least two out of my three kids are breaking those rules. They don’t quite comprehend that these rules aren’t just for my good. They’re for them too.
Similarly, we found out in our 2018 Oracle and KPMG Cloud Threat Report that 97 percent of respondents say their organizations have defined cloud-approval policies. But we also found that 82 percent of those respondents felt those rules were being ignored.
It’s a common scenario, and even an understandable one: Some line of business or another needs to get an application up to achieve a goal. They find or develop an application that will achieve that goal or put them on the cutting edge, and they decide they want to get it out quickly. “We’ll put it together, push it out, meet our goal, and ask for forgiveness later,” the thinking goes.
The problem is that this road leads to disappointment at the very least and disaster at the very worst. Say the security team is brought in at the very end, and they’re told, “We’re launching this app in a month. Let’s do what we need to do.” The security team has a series of minor heart attacks as they figure out how they’re going to fit four months of work into a month, and they bring the project to a grinding halt. Eventually, the app is brought up to compliance and proper configuration standards and is accepted as a “sanctioned” application.
Or let’s say that the line of business goes ahead and launches the app without checking the proper boxes with security at all. Now, security doesn’t have any visibility into what’s happening with that app, can’t adequately protect it, and the organization gets breached. This is what we call, an “unsanctioned” application.
In these scenarios, the difference between a line of business’ timeline for rolling out an application and security’s ability to secure it in that timeline is called the “Pace Gap.” It’s a real problem, but it’s also a problem with a solution.
The line of business and security team both have goals. The line of business wants to accomplish things quickly, and security wants to keep the organization safe. People often see these goals as being at odds with each other, but they don’t have to be. Security can actually help lines of business get their projects done faster, but they have to be involved from the beginning.
For instance, if you look at a traditional ERP application, it can take up to six months for a large enterprise to fully roll out that platform with the right entitlements and credentials. But if you’re able to port over all your on-premises identities to any new cloud application with a product like Oracle Identity Management Cloud, you can cut a significant amount of time off the project timeline—and satisfy both sides.
That’s the carrot. Here’s the stick. Even in the absence of a shortcut that shaves time off the schedule, folks need to slow their roll. Yes, that’s a technical term. If an organization gets breached, asking for forgiveness might not be an option. People are going to lose their jobs—even at the executive level.
So, folks shouldn’t just be incentivized to work with security teams. It should be mandated. One person needs to be in charge of understanding shared responsibility models, regulatory compliance issues, and all of the organization’s security needs and standards. That same person should be empowered and given full visibility and the support of the organization to either approve an application’s deployment or to halt it.
If you’re an avid reader of this blog, you’ll know that we’re big advocates for having a cloud security architect, but really, organizations just need to have somebody with the right knowledge who can act as a gatekeeper for the company. And with that person’s guidance, the organization can start forming best practices that accomplish both goals—a timely release of a much needed application and the right security measures in place to keep it protected.
Once this becomes common practice and the pace gap is closed, all parties can rest a bit easier knowing that their needs are being taken care of.
For more on this topic, see our webcast Keeping Security Pace at the Speed of Emerging Technologies - Register Here.