Changing up security to protect a CPG’s hybrid cloud journey


Retail and consumer-packaged goods (CPG) companies have been operating in a radically shifting business environment for years. To survive and thrive, they’ve had to embrace new technologies that also are radically changing. Cloud initiatives, for example, are morphing to hybrid approaches that mix on premise, hosted private and public clouds. And that change begets more change, like the requirement to adopt a new approach to information security.

Don’t misunderstand. Change is good when we consider cloud’s benefits. Whether private or public, cloud is all about cutting costs and delivering the agility and speed retailers and CPGs need to facilitate change – change that brings products to market faster and enables proactive responses to customer and market demands and to supply chain fluctuations. Adding public cloud can deliver even more benefits, giving enterprises access to greater levels of innovation. Moreover, they can extract all the advantages of modern applications that were designed explicitly for cloud environments.

But the shift to public cloud opens the door to new risks, and it’s up to the companies to ensure those risks are mitigated. Public clouds are not exempt from malware attacks – they get attacked on a daily basis – and security must be paramount.

The latest Verizon 2018 Data Breach Investigation Report analyzed tens of thousands of security incidents, and confirmed 2,216 data breaches. Ransomware, which hijacks and either encrypts or disables a system until the victim gives up a ransom, is a particularly troublesome type of phishing attack, and according to Verizon’s report, is the most prevalent variety of malware. It was found in 39 percent of malware cases identified, more than double that of last year’s report.

Change and embed from the get-go

What retailers and CPGs need to do is make sure security is embedded in everything from the get-go. It needs to be done in the same manner as DevOps, where work is iterative, fast and delivers continuous incremental improvements. If something doesn’t work, fix it quickly. And leverage automation whenever you can to prevent the failure from happening again.

Speaking of DevOps, make sure security is developed, tested, integrated and delivered as part of the larger CloudOps model I talked about in a recent blog post. As I said then, a cloud operations team serves as the single point of accountability and responsibility for the hybrid cloud environment, overseeing all the IT elements end-to-end. There can be no silos, because successfully managing a hybrid environment requires end-to-end visibility and processes. The same goes for securing one.

Call it the DevSecOps model, a digital foundation that can accept, execute and track valid necessary changes via code – automatically as needed – across all underlying infrastructure, including network, compute and storage. That means if a penetration test finds a vulnerability in your web application firewalls, a fix can be implemented accurately and swiftly to eliminate the vulnerability across the enterprise. This infrastructure-as-a-code approach is critical in helping companies get the most out of their hybrid cloud journey.

Integrate end-to-end

From DevSecOps, transition to ISecOps – an integrated security operation that delivers end-to-end visibility and management and correlates security rules events with business requirements. Make sure to apply analytics to ISecOps. Because when something happens in the network, there’s always a ripple effect. If a distributed denial of service (DDoS) attack hits and freezes the network, people don’t call the help desk saying there’s a network problem. They complain that they can’t access a database, or that the database response is slow and causing timeouts during a transaction.

Over time, you’ll have a baseline with which to compare daily events, and that baseline will help sharpen the discovery of outliers and develop preventive actions. This is key. In a hybrid cloud environment that’s supporting hundreds or thousands of workloads and massive amounts of data. A mid-sized company probably experiences millions of events each day, and a large company can have hundreds of millions. There simply aren’t enough people on hand to review all those events to determine their impact.

Root-cause analysis will help you dissect a problem and determine the cause. Was it a router failure? A security breach? Something else? Adding automation to that root-cause analysis helps protect you around the clock, and when combined with intelligence and even machine learning, problems can be corrected even before the calls come into the help desk.

Make antifragile and future-proof

Another pro tip: make sure the system you put in place thrives on fragility and chaos, two palpable qualities of hybrid cloud computing. This is the concept of antifragility — a phrase coined by Nassim Taleb in 2012 — that implies survival of the fittest.

Antifragility is something that gains from disorder, rather than losing from disorder. Consider this example: a data center with no backup power; a data center with battery backup; one with a battery and generator; and one with a battery, generator, and diesel supply. In the event of a power outage, the first is most fragile, while the last is more antifragile. In fact, the latter could possibly sell some fuel to another site, thriving from the chaos.

Include a dashboard as part of your security solution that provides a single window of visibility and drilldown capabilities. Business executives want the high-level visibility and security pros need to be able to drill down to find root causes.

Plan for the future and adjust accordingly. Remember, it wasn’t too long ago that we had a single app running on a single hardware platform. We moved fast to virtual machines with multiple apps running on same physical hardware.  Now we’ve got containers on virtual machines running on physical hardware so we can have much more granularity.

In order to secure that model we need to enact micro-segmentation that carves out specific lanes for specific traffic, even if the traffic is all flowing over the same physical network infrastructure. And consider application whitelisting, which identifies applications and permits their presence on a system to protect computers and networks from potential harm. Whitelisting is the reverse of blacklisting, which identifies bad actors up front and restricts them from systems. Another pro tip: whenever you can, automate micro-segmentation and whitelisting.

In the end, it all comes down to this. In today’s environment, change is good. Traditionally, we’ve viewed change as bad, because when change happens it often means things may go wrong. In the new world, change is what we do, and what we thrive on. It provides new business functionality and we need to take advantage of that. Just make sure security is a central part of that change.

Rene-Aerdts-headshotRené Aerdts is DXC’s chief technologist for a global consumer goods corporation client, for which he leads the technology strategy and provides the technical vision to advance the objectives of the business. Integral to that process, René drives innovation and inspires selective disruption to enable the client to thrive through accelerating change in the industry.


  1. Limousines Cyprus says:

    Hybrid is good for security. I have check network, compute and storage system and found that a couple of things need to change its secured feature in a better way

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.