Diego Arrabal, MEA Director, F5 Networks, says it is time to modernise security in the cloud-first, mobile-centric world.
The threat landscape is changing rapidly with new kind of threats surfacing every day. Does this demand a change in security approaches in the Middle East?
The proliferation of cutting-edge technology in is the Middle East is increasingly influential, particularly as innovative tech-enabled development plans continue apace.
The region’s businesses and government institutions have also historically been seen as prime targets for ambitious cybercriminals and state-sponsored hacking initiatives, so it is vital that defences are in order.
In particular, we are finding that businesses are still coming to terms with the onslaught of new technologies and concepts – such as the Internet of Things – infiltrating all aspects of our professional and personal lives. As a result, IT departments are often unprepared and under-resourced to implement sufficient defence strategies.
Poor visibility on the application layer, application migration to the cloud, he explosion of mobile devices and a lack of preparation within development teams are among the key issues organisations need to address with speed and substance.
We recently revealed findings from our first Annual State of Application Security report, which was conducted in partnership with the Ponemon Institute, and identified a number of worrying trends.
Despite a third of all applications deemed critical to day-to-day activity, only 35 percent of surveyed respondents claimed to have the resources needed to detect vulnerabilities, and a mere 30 percent said they had the technology to remediate these issues. A full 88 percent were concerned about new and emerging cybersecurity threats weakening the future state of application security.
One of the major challenges is a sea-change in IT responsibility as business becomes more application-centric. In our work with the Ponemon Institute, we found that 56 percent of respondents believe accountability for application security is shifting from IT to the end-user or application owner. While 21 percent respondents claimed the CIO or CTO is accountable, another 20 percent said nobody had full ownership. There are accountability issues here, and they need to be dealt with.
Companies in the region are faced with the challenge of supporting cloud-based applications and mobile environment while maintaining network reliability, security and speed. How can F5 address these challenges?
Traditionally, application delivery services have helped a business ensure its apps are secure, have high availability and are delivered fast, wherever and whenever the user needs them. As apps are moving to the cloud, so too are its application delivery services.
As more of the data centre becomes cloud-based and/or virtualised –via software-defined data centres – it follows that the management tools businesses rely on should enjoy the same level of flexibility.
Today, it is important to have application services that can operate across cloud, on-premises environments, and hybrid deployments. Companies can then scale IT resources across those environments, offering the same optimisation, security and availability you would expect from a traditional deployment contained within a data centre.
The way forward is very much an app-centric approach to availability services. It means fitting your infrastructure around the apps and the needs of those who use them, resulting in better speed, reliability, availability and security.
Ultimately, application services in the cloud are all about enabling businesses to fully tap into the benefits this environment brings. Decision-makers are increasingly aware of this, and are continually pushing for more flexibility and agility, without compromising any of the benefits a traditional on-premises deployment
Most enterprises focus their security strategies around network perimeter, but it seems attacks are often targeted at applications and user identities. What kind of security architecture would you recommend for this new era of IT?
The traditional perimeter is dissolving and run-of-the-mill security strategies are quickly becoming a thing of the past.
Today, the world is entirely different. Workers are mobile, applications are in the cloud, and we’re connecting billions of devices to our networks. Security spend need to be realigned to focus more on protecting applications and users.
In theory, the objective of securing 100 percent of your data and 100 percent of your communication networks is a daunting task. However, we believe the answer lies with the idetermination of the identity of users and the full-proxy isolation and defense of critical applications.
F5 stands out by securing access to applications from anywhere while protecting them wherever they reside. Based on an elastic security services fabric, F5 helps businesses protect sensitive data and intellectual property while minimising application downtime and maximising end-user productivity.
F5 is generally thought of as a network infrastructure vendor. Can you tell us about your security portfolio?
F5 offers a unique point-of-view on security. Traditional security point solutions focus on network protection and are therefore blind to application content. F5’s placement in the network provides visibility and analysis to all application traffic and allows customers to make decisions based on the potential risk to the application, and take necessary action against malicious activity.
Cloud applications and mobility have changed the game; data is stored and accessible by devices that you don’t control, on networks that you don’t own.
So, the question is, why are most enterprises still spending the bulk of their security budgets to protect the traditional network perimeter? In many respects, today’s security investments are misaligned with the reality of the threat landscape.
This view is confirmed by data from our F5 Labs team, which combines the expertise of our security researchers with threat intelligence data we collect to provide actionable, global intelligence on current cyber threats—and to identify future trends.
The way businesses and organisations approach security issues needs to change. F5 can play a unique role here, providing visibility into all application traffic, enhancing security portfolios with additional layers of intelligence that traditional defenses leave exposed. It is the contextual information that we keep on every user and session that allows us to layer all these defenses together in the F5 security platform.
What advice would you give to CISOs in the region?
Ultimately, application security is a collective responsibility. Stakeholders in the equation of a successful application deployment strategy should include the IT department, developers and DevOps. C-level executives also need to attribute more resources to this important area of business. Determining a sustainable ownership strategy for application security will help firms to deploy applications securely across their employee network for 24-hour access, on any device and from any location.