Containers Expo Blog Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Zakia Bouachraoui, Elizabeth White

Related Topics: Containers Expo Blog

Containers Expo Blog: Article

Before Signing on the Dotted Line...

Evaluate for security

A recent report from PricewaterhouseCoopers confirmed that most security breaches occur in stored data. Exponential growth in storage capacity, coupled with emerging regulatory requirements, has led to an even greater increase in storage network vulnerabilities. Today, organizations are forced to recognize the critical importance of securing all types of data - from corporate confidential documents to enterprise instant messages to global personnel records. To meet these challenges, organizations must deploy a smarter, more cost-effective approach to security and veer from the prevalent method of developing and implementing patches only after problems are discovered. This article outlines a step-by-step process for organizations to use as they evaluate technology products.

Internal Perspective
Organizations can make better decisions about security products and reduce the potential back-end costs by researching a few key vendor practices; examining the vendor's corporate culture, specifically the security of their development process; insisting on a response plan for times when vulnerabilities are found; and demanding third-party assessments.

When researching information-technology products, organizations must investigate the vendor's security practices and determine the true cost of the product. A product's true cost is often not just the licensing costs, but also the time and money invested in patching a product once a vulnerability is discovered. Organizations need to make educated purchasing decisions rather than dedicate resources to applying patches after procuring a product, a process that can prove more costly in the long run. An educated purchase can prove less costly down the road. For example, the estimated cost to deploy a patch for a recognized software flaw runs on average $900 per server and $700 per client. If an organization misses a patch and gets hit by a virus, the cost will be magnified.

Vendors must demonstrate that security is a priority at each step of product development and delivery. Some software vendors provide training in secure coding practice and compensation tied to secure coding objectives, thereby strengthening the company's security culture. Organizations with a chief security officer and a team that analyzes product development for weaknesses, or hacks its own products, are clearly dedicated to security. It is better that the vendor notice product weaknesses before the flaw causes problems. The vendor should also run its own enterprise on its products; if a company doesn't trust its own products to secure secrets, why should you?

Patch Management
Before signing on the dotted line, organizations should be convinced of two important elements: the vendor has an aggressive plan to handle problems that may arise; and the vendor has a strictly adhered-to incident-response policy to determine the severity level of a vulnerability. These two elements help to mitigate security vulnerabilities should they arise.

Subsequently, the vendor should finish all relevant patches before announcing a security alert. Information distributed randomly to a handful of customers will exasperate rather than calm the situation. Further, the vendor's security policy should treat all customers equally by providing the same level of notice to all customers, regardless of their size or industry.

Validating Security Claims
Third-party validation represents a critical step in purchasing secure products. Vendors that are serious about security will submit their products for rigorous security evaluations conducted by independent authorities. These evaluations are recognized globally by various governing bodies and provide organizations with a level of assurance about the product's features and security claims. Sometimes, evaluators find product weaknesses and vulnerabilities that are corrected before the evaluation is completed or the product is released.

These evaluations are not without a price. However, reputable vendors know that remedying vulnerabilities found during an evaluation is cheaper than fixing a product already in use. For example, while the cost of an evaluation can reach $1 million, the cost to create and issue a patch for multiple versions of a product that is available on 20 different operating systems can easily cost that much, not including the cost of patch application. Clearly, creating secure products is in the best interest of the vendor and buyer.

Although this due diligence adds a step to the product procurement process, it raises the bar for security across the board. If the industry fails to follow these guidelines, it risks government agencies regulating the process. The U.S. government has already instituted compliance regulations such as Sarbanes-Oxley and the Health Insurance Portability Accountability Act (HIPAA) to govern the way the financial and healthcare industries guard their stored data.

Security as a De-facto Purchasing Criteria
"IT" now stands for "infrastructure technology," and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about some of our most critical IT systems - such as SANs, NAS, DAS, and backup environments - going down because of design defects.

Adhering to these security guidelines and choosing more robust products are prudent moves that will cut costs and improve business in the short and long term.

More Stories By Mary Ann Davidson

Mary Ann Davidson is the chief security officer at Oracle, and is responsible for security evaluations, assessments, and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), and is on the editorial review board of the Secure Business Quarterly. Ms. Davidson has a B.S.M.E. from the University of Virginia and an M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, where she was awarded the Navy Achievement Medal.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...