As organizations consider moving to the cloud or architecting their applications in the cloud, security is top of mind. In the June 2020 cloud security survey, 68% of respondents stated that security, privacy, and compliance should be built in as foundational principles when migrating to the cloud. This finding is consistent with the rise of DevSecOps over the past couple of years and the “shift security left” mindset.
By AJ Yawn, Cloud Security Expert
This finding from the survey may sound a lot like DevSecOps, a concept in the security industry that is gaining more and more traction as teams embed security into the software development lifecycle. DevSecOps is Security + DevOps (Development + Operations) running together as a single, cohesive unit. The underlying principle of DevSecOps is to unite security teams and application developers, creating a collaborative environment where security is a shared responsibility in the continuous integration/continuous deployment (CI/CD) pipeline. DevSecOps is often focused on adding new security tools to integrate security in the software development lifecycle. The DevSecOps mentality does not have to be restricted to just the development teams, this mentality shows itself through three cultural security shifts in organizations.
Integrating Security Early
As security practitioners, we should aim to add security as a cohesive component of every part of the organization. The results of this survey show that technologists understand the benefits of integrating security and privacy at the beginning of the cloud migration process. Early inclusion of security and privacy will ensure infrastructure choices, availability planning, and compliance risks are examined before any business decisions are made.
It can be argued that cloud migration should not be the trigger to integrate security as an integral part of all organizational processes. Adopting a security-first culture allows organizations to implement the DevSecOps culture whether they are migrating to the cloud or not. There are a couple of actions that organizations can implement to ensure that security, privacy, and compliance are embedded in all organizational processes.
Making Security Everyone’s Responsibility
One of the reasons organizations implement DevSecOps is to prevent a security incident or event from occurring. DevSecOps is a cultural shift, not just a series of tasks or checkboxes to complete as you move through your CI/CD pipeline. This requires organizations to adopt the mind of a security practitioner which means everyone in the organization acknowledges that it is not a matter of if a vulnerability or flaw will be identified, but a matter of when. Assuming you will be breached or hacked changes the conversation internally and influences decision making on tools, technologies, and migration strategies. This shift in thinking will encourage security-conscious individuals outside of the security team to look forward to finding flaws and reporting them to the security team.
The development and growth of security-conscious employees in every department is an indicator of a strong security culture.
A security-first culture eliminates the blame game from cybersecurity-related issues and encourages a culture of fact-finding, issue-spotting, and investigation. We are no longer asking “who wrote this code?” when a vulnerability is discovered. This cultural shift means we are now asking:
- How do we fix this?
- How do we stop this vulnerability from occurring in the future?
- Can we automate the fix?
Those questions are application security specific however it is important to reiterate this is much more than just securing your application and integrating security tools into your CI/CD pipeline. A cultural shift involves all employees and departments considering the security implications of their processes and actions. For example, in a mature cybersecurity environment, the human resources (HR) team is educated on the implications of onboarding processes and procedures on your cybersecurity compliance assessments. This understanding facilitates an open line of communication between HR reps and security team members. This open line of communication facilitates collaboration on potential solutions that can alleviate the manual aspect of HR teams monitoring and proving compliance with cybersecurity regulations and frameworks. With the end goal of an automated security and compliance monitoring process that ensures new hires are onboarded according to your applicable compliance standards (i.e. background checks performed, access request created, security awareness training completed, etc.).
Automating Everything
Security automation has become increasingly important due to the thousands of threats facing organizations daily. It is virtually impossible to manually identify, protect, detect, respond, and recover to security events or incidents.
Automation will not work without a deep understanding of the business processes and risks security professionals are trying to automate. For this reason, the cultural shift described above is imperative to begin before implementing automation strategies. Automation makes security easy and reduces the burden on understaffed and under-resourced security teams.
When considering automation strategies, security practitioners must adapt security to the business processes and not expect business units to adapt to security. Security must remain an enabling function not a blocking function for automation to work. Security in the cloud requires and encourages automation of key security controls.
As organizations undergo annual compliance assessments, they should aim to make security controls programmable and automated wherever possible. Multifactor authentication (MFA) flaws and public storage services (specifically AWS S3 buckets) are two common risks facing organizations that would best be addressed through automation. For example, on AWS a simple, automated Force MFA and S3 Bucket Security configuration would significantly reduce two key security risks facing the organization without requiring the security team’s manual intervention.
An “automate everything” mentality encourages your organization and security professionals to consistently identify simpler and better ways to perform key functions.
Making Security Easy
Implementing security, privacy, and compliance earlier in the process for all projects, including cloud migrations, makes security easier for everyone involved. It makes sense that over two-thirds of survey respondents believe this is a top security concern when migrating to the cloud. It also makes sense to begin taking the initial steps to integrate security within your overall organizational culture encouraging a relentless focus on automating security.
About the Author
AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. He has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.
