SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: vArmour on using visibility to create secure application policies
Tue, 18th Dec 2018
FYI, this story is more than a year old

Organisations are adopting cloud applications at an increased rate, leaving security solutions struggling to keep up.

However, without visibility into their applications and their ecosystems, it can be hard for organisations to secure their data.

TechDay spoke to vArmour products, strategy, and business development vice president Keith Stewart about how companies develop visibility into their application flows.

What are the biggest challenges enterprises are facing in securing the hybrid cloud?

We're seeing that applications are becoming more distributed and more complex, so enterprises are becoming blind to their application flows.

The cloud runs applications more effectively and more on-demand, but there's added complexity now and it's difficult to gain an understanding of how they're all interacting with one another.

So the two big challenges that we see most people struggling with is being able to understand the applications in their inventory, and determining whether or not their applications are compliant with regulatory requirements.

Why is vArmour focusing on an application controller as a solution to these challenges?

vArmour puts a lot of energy into making the technology simple, easy to use and operate.

People don't have time to talk to salespeople and read a bunch of material - if it's too complicated, they're just going to end up not using it.

Our application controller service is entirely available online.

Customers can go to the website, get activated in less than an hour and they can see how it adds value to allowing them to understand their application flows, suggest, and help them build policies and protocols that will make them compliant with the security standards they need.

How did vArmour factor in customer experience when creating the user interface of the application controller?

Simplicity is all about an emphasis on the customer, the customer journey, their day, their tasks.

Nobody in the enterprise has the time to do all the stuff they need to do, so I think if you can help them with that, you can add value for them.

Every company has a cloud strategy, but with that comes complexity of understanding their apps, their data, and making sure that the applications they're using are secure - so we tried to make this as easy as possible for users when considering the customer experience.

How does the application controller navigate the need to understand different cloud environments?

A lot of the complexity shows across the different cloud environments available.

For example, you may have web servers running on Azure and bare metal servers that have been running on-premises for a decade.

Our application controller maps and understands those relationships by observing the flow of data between applications, computes it, then we model that from a business application view.

This makes it easier for someone to make good security decisions about and helps them to solve the security policy problem.

Do you want to have a basic policy that protects against some really bad things but is really safe? Or do you want a full zero trust policy to lock everything down?

That makes sense for your most critical assets, but not necessarily for your peripheral data that needs to move very quickly - and these are taken into account with the application controller.

What are some of the developments you're looking forward to the most in security?

Two technologies I've seen that I'm excited about are compliance-as-code and serverless security.

Organisations are starting to incorporate DevOps methods into how they run their businesses, and our technology is an enabler of that.

We have customers that use vArmour to protect mainframes as well as using us to protect DevOps.

In DevOps-based compliance-as-code model, security can be thought of and treated as code – where you can version it and test it – which then paves the way to a much more provable security model because it becomes a lot easier to keep track of rollbacks and change management.

This is an idea that we have been working on with some of our bigger banking clients – because it's the only way we can ultimately scale security to the size and scope of these organisations.

On the other hand, serverless security is still a while away. To get to that point, we need too many master practitioners and there aren't enough to go around.

By moving to a cloud-native approach to software, it's saying that we shouldn't need master practitioners, and moving to a model where the places we need people would be business-related, rather than tech-related which, in turn, empowers organisations.