Moving up the stack, our security posture changes. The concepts stay the same, but the posture changes. The concepts of least privilege, limited access, etc. all apply. How we implement those controls changes. In the past, we could rely on a firewall at the edge. Yet, as we move up the stack, the edge has disappeared. When we move into microservices and containers, the edge gets blurred. So, where do we put our security controls? Do we rely on distributed firewalls or microsegmentation, or do we need something new?
Performing regular assessments to determine the efficacy of security programs is foundational to understanding the reliability of programs, security gaps, compliance issues, and whether security technology is ending up as “shelfware”. To gain continued program support and funding, information security teams are expected to evaluate and report, on a regular basis, the performance of their existing security systems and on the impact of their security controls.