Three keys to getting Security-as-Code right
Don Duet, chairman and co-founder of Concourse Labs, reveals how to successfully execute Security-as-Code programs
Add bookmarkOver the past decade, we have witnessed tremendous growth in public cloud adoption. This trend will undoubtedly continue to accelerate as organizations rethink and retool their businesses and digital footprints. As cloud usage grows, so too does the number of available cloud services and their complexity. But public cloud is not just a collection of new technologies; it is a new operating model that many organizations now rely on to modernize their businesses.
Public cloud breaks traditional security architectures
With all the benefits that cloud bestows, it also brings fundamental, inherent security and operational risks that are very difficult to solve, even for the most sophisticated and mature security and risk teams. Being in a public cloud means that you have a public set of challenges, and the inherent risk of cloud is high. While business leaders forge ahead with ever-faster innovation to capture market and mind share, security and risk management teams struggle to keep up.
A new approach to cloud security is needed, one that provides verifiable security and risk compliance of cloud applications and workloads and does so at the speed at which modern businesses must operate. This requires an agile model that enables the continuous evaluation of risk and the ability to assess and mitigate risk simultaneously across a variety of different control planes.
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
Security-as-Code: The most viable approach to cloud security
Security-as-Code transforms the current security model from human-driven, ambiguous and intermittent to an agile, technology-driven, explicit and continuous model. In this new paradigm, security and risk practitioners can constantly adapt to the never-ending stream of risks brought on by the continual evolution in cloud services. As a result, business operations in cloud become increasingly agile as well.
Security-as-Code is the practice of instantiating or expressing security and cloud-control objectives in code to orchestrate their application and automate manual security and compliance processes at scale. It is the progression of applying modern technology to improve effectiveness and efficiencies in securing public cloud services. The benefits of declarative artifacts and controls have become clear within DevOps practices. It is time for security and risk teams to embrace these concepts now that most organizations have moved beyond just provisioning and building clouds, to ensure their security and safe operation as well.
Security-as-Code is predicated on the notion that security should be considered an integral part of the software development process. Within this guiding principle, it is, therefore, highly advantageous to treat security controls the same way we treat other forms of source code. This way, cloud controls can be created, applied, managed and audited in a manner that is consistent with how cloud services are increasingly being built and deployed.
Three principles of an effective Security-as-Code program
In my experience developing and implementing Security-as-Code programs within Goldman Sachs and advising large cloud-forward enterprises, I have identified three principal tenets that are critical in achieving a robust, scalable and agile security program to meet the increasingly complex and changing needs of public clouds.
-
Establish clear ownership and accountability
The first principle necessitates a focus on ownership and accountability and having an internal structure to map people and roles to specific problems. Defining ownership or control can be difficult, especially within complex organizations that operate over many different regions, jurisdictions, divisions or teams.
Responsibility is very much a team effort, and defining and managing roles is essential to simplifying the management of security and risk across an enterprise.
-
Design and manage codified controls
The second principle involves the design and management of control objectives that will solve the set of discrete problems identified. When doing this, it is best to keep the codified controls separate from the application and cloud services code they will govern. This enables security policy to act independently and adapt to changing needs without requiring development involvement.
Write policy content that is sufficiently detailed to meet cloud control standards, along with the ability to manage an expanding inventory of codified intellectual property. These are cornerstones in building a successful Security-as-Code program. All software requires ongoing maintenance and nurturing. Ensuring a well-defined lifecycle from control definition to software implementation is required to facilitate trust and agility in Security-as-Code artifacts.
-
Apply cloud security controls comprehensively
The third and final principle entails moving from a security and risk approach that applies controls through a single control plane to an approach where APIs are used to inject security seamlessly across as many parts of the SDLC process as practical.
This comprehensive approach enables the enforcement of cloud security guardrails during development, within CI/CD pipelines and in runtime to identify risks associated with drift, attack, and misuse. Organizations will also be able to continuously audit cloud services and workloads for security, resiliency and regulatory compliance and establish a common framework for visibility, control and collaboration across multi-cloud environments. Agile and automatic policy enforcement within dynamic workflows provides a solid foundation for securing the use of public cloud services.
Security-as-Code represents a significant cultural and technological shift for most organizations. It requires people, process and technology changes that may be orthogonal to existing approaches and can be disruptive during early stages of adoption. However, Security-as-Code is necessary for safeguarding the increasing complexity of public cloud consumption. While developing a program requires careful thought and clear leadership, it has proven to yield exponentially greater results than traditional security approaches. And it is the only viable approach for ensuring the security and compliance of cloud configuration, particularly at the skyrocketing pace at which businesses expect to deploy cloud applications and workloads.
To learn more about the keys to a successful Security-as-Code approach, watch my video Concourse Connect: Security-as-Code for Cloud on-demand.