Digital As Default: Dealing With Unintended Consequences

The destination of digital transformation has always been a ‘digital as default’ operating model.

I can’t remember the last time someone left a phone book on my front porch or handed me a DVD of a new movie to watch. When I want to play a new game, I use the store on my console. I certainly don’t get up and drive to a physical game store and browse cartridges anymore. And updates? They’re automatically delivered.  Seriously, even my favourite tabletop RPGs are digital today. I don’t have to drag thirteen books and several pounds of dice to someone’s house to play. I just need my laptop.

Not that I’m giving up my dice. Cause that’s just crazy talk. But I am using more digital because business is giving us more digital.

In the past year, every industry has progressed rapidly – motivated by necessity – to the second and third phases of digital transformation.

Phase 1: task automation 

In this stage, digitalization leads businesses to turn human-oriented business tasks to various forms of automation, which means more applications are introduced or created as part of the business flow. This began with automating well-defined, individual tasks to improve efficiencies. A common example is IVR systems that answer common questions about a product or service but may need to hand off to a human representative. In this phase, individual tasks are automated, but not consistently integrated.

The unintended consequence: more code 

The average iPhone app takes less than 50,000 lines of code. Google? More than 2 million. Most apps are somewhere in between. All that code needs to be maintained and updated and secured, and organizations have been expanding their code base across architectures for years. Now they’re operating five distinct architectures and three to four different code bases from COBOL to C to JS to Go.

And that doesn’t count the growing use of JSON and YAML and Python as organizations adopt infrastructure as code. That’s more than half (52%) according to our annual State of Application Strategy Report, and it’s only going to keep growing as organizations dipping their toes into AI and ML start to adopt operational practices that include models and algorithms as code, too.

Phase 2: digital expansion 

As businesses start taking advantage of cloud-native infrastructure and driving automation through their own software development, it leads to a new generation of applications to support the scaling and further expansion of their digital model.

The driver behind this phase is that business leaders become involved in application decisions designed to differentiate or provide unique customer engagement.

For example, healthcare providers are increasingly integrating patient records and billing with admission, discharge, and scheduling systems. Automated appointment reminders can then eliminate manual processes. Focusing on end-to-end business process improvement is the common theme in this phase.

The unintended consequence: more connections

Digital as default and the modernization of IT means more connections—between applications, systems, devices, consumers, partners, and APIs. Every one of them is a potential entry point, one that could ultimately result in a significant breach or compromise of systems.

Phase 3: AI-assisted business 

As businesses further advance on their digital journey and leverage more advanced capabilities via application platforms, business telemetry and data analytics, and ML/AI technologies, businesses will become AI-assisted.

Behavioural analysis can be used to distinguish legitimate users from bots attempting to gain access. Technology and analytics have enabled AI-assisted identification of those users to let them in, boosting revenue and improving customer retention.

The unintended consequence: more data

Lastly, digital as default necessarily results in more data. Not just customer data, orders, products, addresses, payment details – but operational data like metrics and logs. A digital business needs telemetry to understand visitors, engagement patterns, performance, unusual flows, and anomalous behaviour. That telemetry isn’t something that can be analysed and thrown out, at least not right away. Days, if not weeks or months, of telemetry can be required to properly establish operational baselines and then uncover patterns that feed into business decisions as well as anomalies indicative of an attack.

All that data needs attention. It needs to be normalized, stored, processed, analysed, and curated. And it needs security, because some of that data may contain protected customer bits requiring compliance and regulatory oversight.

The unintended result of digital transformation: more complexity 

No matter how fast or slowly an organization progresses through these phases, the result is the same: more complexity, which is the enemy of security.

So, for security professionals digital as default means new challenges. One of the ways to deal with this set of security challenges is to break it down into more manageable categories.

Simplify to keep your sanity

Most of the security challenges can be broadly grouped into three categories: application, infrastructure, and business. These higher-level categories are good for managing up when you need funding or executive support. They’re also good for triage when determining the best approach to mitigate them.

App layer → DevSecOps

App layer vulnerabilities can be addressed with a shift left approach, that is, making security a part of every pipeline—from development to deployment to operation.

From WAF to DAST to RASP to SAST, tools abound to help scan and secure code. Most of them are fully capable of integrating with the development pipeline. By automating scans, you effectively eliminate a hand-off—and the associated time sink.

Infrastructure vulnerabilities → distributed defense

More traditional vulnerabilities like volumetric DDoS and DNS amplification live in the infrastructure layer.

Infrastructure layer vulnerabilities need more of a shield right approach—where security services defend against live attacks, because there are ways to process them out.

Even before work from home became a more or less permanent thing, people traveled—and that meant mobile distributed endpoints.

This is driving the need for distributed app and identity-centric solutions to defend infrastructure and applications. That means SASE and Zero Trust, and the use of edge to move infrastructure defensive services closer to the origin of attacks. SASE and ZTNA shift policy from IP addresses and networks to users and devices and require proof of identity to access applications and resources.

Business vulnerabilities → AI-assistance

Finally, there are the business layer vulnerabilities. F5 Labs research notes that the average DDoS attack size increased by 55% over the past year, with education one of the most targeted industries in early 2021. Credential stuffing attacks were launched against video gamers in 2020 to the tune of more than 500,000 per hour. These must be dealt with in real-time.

That’s why it’s no surprise that AI-assisted security is being adopted at a frenetic pace, to keep up with the crazy rate at which new attacks and new ways to execute old attacks are developed and launched.

The ability to accurately process and predict potential attacks was cited by 45% of respondents to our annual research as missing from their current monitoring solutions. AI is one answer to that, with the promise of real-time analysis of data via trained models that can detect and alert us to a possible attack.

Digital as default is the new normal 

Ultimately, all this digitization is creating a distributed and data-driven world. And that means more ways for attackers to gain access, exfiltrate data, and generally make a mess of things. In a digital as default world, security needs a digital stack and that means DevSecOps, a distributed defense model, and AI-assisted security.

• Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5