Qarik Group has been helping companies transition from data-center-native to cloud native by modernizing how they build and run software. In this episode of TFiR: T3M, Swapnil Bhartiya and Glenn Russell, Principal Engineer at Qarik, talk about the evolution from legacy IT to cloud native and how the threat landscape has changed. They discuss some of the key challenges and how teams are responding to the ever-changing security threats.
Evolution of security from legacy IT to cloud-native:
- The key components of a good security program remain the same, managing access, managing logs and events. The challenges with cloud is the choice and complexity.
- Legacy applications still play a significant role in enterprise workloads, and migrating those into multi-cloud and public cloud, while still maintaining resilience and business continuity is the challenge.
Is security still an afterthought?
- More customers’ teams are increasingly focused on security and shifting left. While security vendors on the public clouds are getting better at providing tools for those teams, it is still a challenge shifting from the data center-based monolith to cloud-native.
How is platform engineering helping security?
- Platform engineering is helping developers build applications quickly and securely since that is what makes the business successful, whether it is a blue-chip company or just a travel company.
- Security needs to be baked in at the start of the application lifecycle not the end and platform engineering can help bring focus where it belongs – at the start.
What cultural changes are happening?
- Security practitioners of large companies are realizing they cannot do it all themselves. Enterprises are increasingly looking to decentralize the job of security and making it everyone’s concern.
- We need to empower teams by giving them the ability, responsibility, and trust to do the right thing since this can reduce vulnerability rates, make better code, and increase deployment times.
What are some new threats?
- New technology which is garnering a lot of attention, such as ChatGPT, will always attract the attacker side who will see it as an opportunity to compromise a set of credentials and plant malware.
- Whereas previously we could make a good judgment call as to whether a LinkedIn request was genuine, with the advent of AI it is becoming harder and harder.
- This is the same with socially engineered attacks in that you are making a connection with somebody who has malicious intent.
Security is a journey not a destination
- Security starts with the fundamentals such as getting a customer to understand about the principles of least privilege and the principle of a breach-first mentality.
- Only after these are fully understood can you encourage customers to think about their technology and apps and how to implement that in the code and automation.
- Qarik is helping bridge the gap between the technology and security vendors.
Advice for companies migrating to the cloud:
- Communication is key, particularly at the start of the journey ensuring that every stakeholder is in the room and everyone fully understands the journey, what the end goal is, and how the teams are going to get there.
- Ensuring that everyone understands the security goals at a fine grained level, such as the change in the security controls or the design of the security controls.
- Having a project manager or program manager in place to help guide the transition.
This summary was written by Emily Nicholls.