Santa Clara (California), June 8: Security has moved from being a peripheral issue for companies to become the core of their concerns with the concept now being embedded in the design phase itself, according to a top security official of CA Technologies.
"All the companies followed a ‘waterfall method' where different concerns came in at different stages so to say of a waterfall. But now security is 'shifting left' right to the beginning of an application or service right from design conceptualisation," said Mordecai Rosen, General Manager, CA Security.
This concept had been brought about by the large scale attacks which had come to the fore in the last few years and also because governments have moved in to bring in regulation, especially in Europe where the General Data Protection Regulation (GDPR) has stepped up the requirements by companies to protect privacy of individuals and data, he said.
Attacks were always happening, but now the scale and frequency had moved up significantly and for this automation needs to be brought in and protection built into all the system "from the word go," Rosen said talking to a small group of journalists on the sidelines of CA's "Built to Change Summit".
He said most of the earlier attackers or hackers went in for the "low hanging fruit" where identities were easy to hack, or because of the carelessness of individuals and companies access could be breached easily.
There are a wide variety of attacks on any company looking for vulnerabilities where they could find a "door open". As an example he said that a large dot com company had 80 million attacks every month, showing the enormity of the scale of hacking.
However, he said the technology could be brought in to better protect software. Machine Learning, Artificial Intelligence (AI) and intelligent design were all tools which could be used to safeguard the applications and other software from attacks.
But what gives nightmares to a security official like Rosen is the use of those very tools, like AI by state actors which are going about in an organised manner to collect intelligence and subvert institutions.
Although he did not say who these state actors were, China and Russia have emerged as countries which have been known to have huge staff just for systematically entering institutions and companies either for intelligence gathering or for subversion.
Rosen said identity protection and access management in companies had become much more important in the last five years and would become even more important in the next five. He said security can no longer be operated by a handful of people sitting in a room.
"There has to be cultural shift about security right from the boardroom down to the lowest level with budgets provided for," he said, adding that this had started happening in large companies but the culture changes have to seep down to all companies and institutions.
He said detection and containment were always important but had become more so now with the scale of attacks increasing exponentially.
Most of the breaches that one reads about, said Rosen, came through compromised ID or through "known vulnerability." But this will become more sophisticated as attackers adopt the modern tools of AI.
"We use the latest tech to protect; they use it at attack," he said adding that it was game that would continue to happen, but if security was embedded in the design phase itself, much of the attacks could be thwarted.
He said companies earlier used to look at development operations (DevOps) for making software of any kind. With security taking centre stage, it is now "DevSecOps" that everyone is now talking about.
He said his concern about security was even further elevated when he realised that the whole economy of the United States was becoming digital without the commensurate protections in place. "This has to change. Security must take centre stage in every business person's mind," he added.