A SecurityWeek Event

A VIRTUAL EVENT FOR 2023

An Exclusive Forum For
Information Security Leaders

June 13-14th, 2023

2023 Diamond Sponsor

https://www.cisoforum.com/wp-content/uploads/2020/09/Palo_Alto-Networks-logo.png

2023 Platinum Sponsors

https://www.cisoforum.com/wp-content/uploads/2023/05/Abnormal-logo-black.png
https://www.cisoforum.com/wp-content/uploads/2023/05/CardinalOps_Logo.png

2023 Gold Sponsors

https://www.cisoforum.com/wp-content/uploads/2021/08/ReversingLabs_logo.png

ReversingLabs

https://www.cisoforum.com/wp-content/uploads/2023/05/Uptycs-Logo-1-320x95.png

Proofpoint

https://www.cisoforum.com/wp-content/uploads/2023/05/Lacework-Logo-320x53.png

Eclypsium

https://www.cisoforum.com/wp-content/uploads/2023/05/Saviynt-Logo.png

Synopsys

2023 Featured Speakers

Adam Ely

Adam Ely

Fidelity
CISO

Shaun Marion

Shaun Marion

McDonald’s
VP, CISO

Kathy Wang

Kathy Wang

Discord
CSO

Lena Smart

Lena Smart

MongoDB
CISO

Jason Shockey

Jason Shockey

Cenlar FSB
SVP, CISO

Igor Varnava

Igor Varnava

Five9
SVP, CISO

Brian Markham

Brian Markham

EAB
CISO

Chris Castaldo

Chris Castaldo

Crossbean
CISO

Michael Piacente

Michael Piacente

Hitch Partners
Managing Partner

Evan Wolff

Evan Wolff

Crowell & Moring
Partner

Evan Wolff

Jonathan Jaffe

Lemondade
CISO

2023 Agenda is Coming Soon

Designed for senior level cybersecurity leaders to discuss, share and learn innovative information security and risk management strategies, SecurityWeek’s CISO Forum, will take place in 2023 as a virtual event.

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.


An Exclusive Executive Forum Focused on Cybersecurity Leadership and Strategy

Virtual Event – View Event Website

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.

Previous CISO Forum Speakers

Adrian Stone

Adrian Stone

Peloton
VP, CISO

Anne Marie Zettlemoyer

Anne Marie Zettlemoyer

Mastercard
VP, Security Engineering

Caleb Sima

Caleb Sima

Robinhood
CISO

Allan Friedman

Allan Friedman

Cybersecurity and Infrastructure Security Agency (CISA)
SBOM Champion

Summer Craze Fowler

Summer Craze Fowler

Argo AI
CISO/CIO

Fredrick Lee

Fredrick ‘Flee’ Lee

Gusto
Chief Security Officer

Shaila Shankar

Shaila Shankar

Cisco
SVP and General Manager of Cisco Cloud Network and Security

Jonathan Jaffe

Jonathan Jaffe

Lemonade
CISO

Aanchal Gupta

Aanchal Gupta

Microsoft
VP, Azure Security

Lena Smart

Lena Smart

MongoDB
CISO

Sounil Yu

Sounil Yu

JupiterOne
CISO

Theresa Payton

Theresa Payton

Former White House CIO
Star of CBS TV series, “Hunted”, and Leading Cybersecurity Expert

The Five Things CSOs Need to Know About Software-Defined Security

01/14/2015 0

The business benefits of moving workloads to the cloud are so compelling that most enterprises are now investing heavily in this direction. Lower cost infrastructure frees up IT budget that can be focused on net new applications and business innovation.

While driving capital expenditures to near zero is a good aspirational goal, the reality is that most organizations will end up with mixed environments of physical data centers, private cloud and public cloud.  The question is:  how are companies supposed to keep business-critical assets safe in this new model?

In a cloud and virtual infrastructure world, security and compliance consistently bubble to the top of the list of concerns. In fact, in a recent report, Gartner identified security as one of the top 10 information technology priorities for 2015.

For decades, IT and Internet security has been built around models that assume the availability of fixed perimeters, hardware security appliances, physical proximity of data and explicit control of physical topology.  

Cloud environments – including cloud hosting, virtualization and software defined infrastructure – disrupt these assumptions dramatically. And the ripple effects extend to many major IT trends including Software-Defined Data Centers (SDDC), Infrastructure-as-a-Service (IaaS), IT-as-a-service (ITaaS) and software-defined storage.

While the use of “software defined” infrastructure is attractive, it imposes technical and operational characteristics that differ significantly from traditional IT infrastructure strategies.   

A few of these differences include broader IT asset distribution, high rates of change, greater diversity in deployed technologies, and large variability in scale. Of course, another key difference is that very often the underlying physical infrastructure is owned and operated by a third party.

It’s clear that new security strategies are needed — traditional, perimeter-based security models simply don’t work in the cloud.

Leading analysts, CIOs and CSOs agree that adopting a Software-Defined Security (SDSec) architecture is necessary to ensure that security and compliance does not slow down the movement to cloud infrastructure, but rather complements and accelerates the value it delivers to the enterprise. Security and compliance management must evolve to succeed in these massively scalable, fast-moving environments.

So how do we get there? Five key architectural principles have emerged that are central to enabling security and compliance to keep up with software-defined infrastructure. These five principles are:

Abstraction: Most traditional infrastructure security strategies depend on physical constructs such as hardware appliances, physical network segmentation, and proximity of computing components. Given that the underlying infrastructure itself is becoming more virtualized and more widely distributed, security and compliance for the cloud needs to be virtualized and able to operate regardless of where underlying hardware might be physically located.

A true software-defined security strategy should also be independent of any specific infrastructure platform, vendor, or service provider. Achieving infrastructure security abstraction makes security organizations more adaptable in their ability to support any infrastructure model, including a mix of private, public, and hybrid infrastructures (a.k.a., multi-cloud infrastructure) in addition to virtualized and bare-metal systems.

Automation:  Manual monitoring and audit of security policies in virtual infrastructure is not feasible and could lead to serious mistakes and slow reaction to business needs. Security automation is required that implements security and compliance controls (e.g. firewall policies, intrusion detection) with minimal human intervention in deployment, configuration, and operation. Well-implemented automation will enable security organizations to keep up with the scale and rapid rate of change associated with emerging cloud infrastructure models. In an ideal world, even automated control deployment is not enough. Most desirable is full lifecycle automation, in which policies are set once and tied to some context, after which underlying controls are 100% automated at each stage of the control’s lifecycle—from deployment to de-provisioning. Keeping up with cloud infrastructure velocity means automation throughout the lifecycle of every enforcement and monitoring control. In addition, modern, software-defined security must be on-demand for low friction, and have “instant on” availability for audit and compliance.

Orchestration: Trying to manually provision security for virtual infrastructure simply won’t work in the dynamic, elastic nature of cloud. Security orchestration reduces the time, effort and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments.

Business security requirements must be satisfied by dynamic, automated, centrally managed composition of individual controls into integrated, holistic security services. Security orchestration platforms centrally manage the composition, deployment, and management of individual control components into more complex, service-oriented security systems. By composing many individual controls into a larger system, security orchestration is considered to be a higher order function than simple control automation. In many implementations, orchestration also addresses licensing, metering, chargeback, and other security resource consumption issues—important in service-oriented cloud computing and software-defined infrastructure environments.

A key strategic value of orchestration is the ability to rapidly create and maintain numerous security environments that are aligned with higher-level business needs while keeping pace with automated deployment, migration, and reconfiguration needs of the underlying application environment.

Security orchestration also reduces the time, effort, and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments. This streamlines control deployment, integration, and change management, preventing security from becoming a speed bump in an otherwise seamlessly orchestrated environment.

And as technology delivery becomes increasing service-oriented, orchestration can relieve the administrative complexities of usage-based security resource management.

Automatic Scalability:  Scaling application and infrastructure environments automatically, on-demand, and in near real-time is one of the essential capabilities that makes cloud computing so valuable. Dealing with seasonality or other fluctuations in demand once required maintaining sufficient idle infrastructure capacity to meet peak demand, often on a per-application basis. This approach was operationally and economically inefficient. Security and compliance control capacity must also scale up or down dynamically – and without human intervention.  

This means that controls must be deployed directly into the application scaling mechanism (e.g., building controls directly into cloud-burstable virtual machines) or must have the ability to scale based on application scaling triggers (e.g., detection of a cloud-burst triggers deployment of more virtual appliances). Given that an arbitrary number of security controls may potentially be needed across an arbitrary number of diverse application environments, the SDSec principles of orchestration and automation are often leveraged to achieve automatic scalability.

Cloud-oriented application hosting models that support instant deployment and dynamic capacity will demand security that can automatically scale. Automatic scalability as a feature of an on-demand, orchestrated security service is an optimal strategy for implementing software-defined security.

API Enablement:  Security monitoring and enforcement control functions should be fully accessible via open Application Programming Interfaces (APIs), so that security and infrastructure organizations can fully integrate and use the tools with which they’re already familiar. CSOs and their organizations should insist on open API enablement of any security solution, especially those oriented to software-defined and cloud computing operations.

These five principles of software defined security—abstraction, automation, orchestration, automatic scalability, and API enablement—can go a long way to ensuring the success of security and compliance programs for enterprises transforming to cloud-oriented infrastructure and technology delivery.

Software-defined security changes the game for the CISO and their teams. Security can now move to being an enabler for enterprises that are taking advantage of the business value offered by cloud services and infrastructure, without sacrificing security or compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe for Event News