The rapid acceleration in cloud adoption that we first talked about in 2020 hasn’t slowed down since. Analyst firm Gartner predicts that cloud usage will only grow broader, deeper, and more ubiquitous in 2022, with global cloud spending forecast to grow nearly 22% to reach $482 billion by the end of the year. Gartner also predicts that public cloud spending will make up nearly half of all enterprise IT budgets worldwide by 2026.
More and more organizations are beginning their cloud journeys by adopting cloud-based Software-as-a-Service (SaaS) applications or by leveraging cloud infrastructure for access to compute, storage, and microservices. Increasing numbers are also advancing their cloud maturity — migrating more of their workloads to the cloud, hosting their own instances there, or starting to develop cloud-native software products.
Maintaining robust security in the cloud isn’t necessarily harder than doing so for on-premises systems, but it is different. What’s more, if your organization is dipping its toes into developing in the cloud for the first time, there are additional considerations that you should be aware of. You’ll need to build and implement your own cloud security strategy tailored to your organization’s needs, rather than relying on SaaS vendors to secure the platform and infrastructure on your behalf.
Moving from DevOps to DevSecOps
One of the biggest benefits of developing on the cloud is that it allows your organization to move very fast. In today’s agile and ever-changing business climate, that speed is often highly attractive to decision-makers. It’s important, however, to ensure that your development organization doesn’t become too focused on the product — or on shortening release cycles — at the expense of security.
The concept of DevOps is a familiar one for most development organizations. Defined as a “combination of cultural philosophies, practices and tools that increases an organization’s ability to deliver applications and services at high velocity,” DevOps has been adopted in some form by more than three-quarters of companies. Fewer, however, have implemented the full complement of DevOps technologies and practices across the entirety of the development lifecycle. And fewer still have successfully integrated an end-to-end security foundation across their development pipelines.
The central idea in DevSecOps is to build security into applications and development pipelines from the outset of DevOps initiatives. Implementing a DevSecOps approach involves collaboration between developers and operations teams (just like DevOps), but also brings security teams into the fold. Adding security checkpoints into the pipeline (both automated and manual checks) in order to continuously integrate security into the development environment can help, as can training developers to code with security in mind and prioritize security considerations from the earliest stages of software design.
Providing training to developers is key for making a successful transition to DevSecOps. It’s also a good idea to nominate security champions within the development team. These champions don’t have to be highly credentialed security experts, but they should be people who have some understanding of software-based risk — enough to be able to say “let’s add a checkpoint here,” or “let’s do an assessment of this part of our process.”
Adopting DevSecOps requires a mindset shift. It’s a discipline that involves prioritizing security across all stages of the development lifecycle. DevSecOps enables development teams to handle software flaws or errors early on, minimizing the time and cost requirements of making changes in late stages of development.
The Importance of Cloud Security Assessments
It’s not uncommon for organizations to have dramatically different levels of maturity when it comes to DevOps and cybersecurity. A cloud security assessment can give your organization both an external and an internal perspective on your security posture in the cloud. This lets you stay on top of your configuration settings, helps you make sure that endpoints weren’t accidentally left exposed, and ensures that privileged accounts and key stores are properly safeguarded.
Monitoring, configuring, and maintaining cloud resources in a secure fashion requires an entirely new skill set — one that’s quite different from what’s needed to identify and manage security risks in an on-premises environment. You’ll need to make sure you’re putting the monitors in the right places, that you’re storing logs for an adequate amount of time (and in a place where they can readily be accessed and reviewed) and that you’ve set up alerting properly. For teams that are new to working in the management plane of a public cloud infrastructure, this can be confusing and tricky. Plus, the control checks and security models are different on each platform.
We recommend that you use an industry-standard cloud security framework as a baseline. The Center for Internet Security (CIS) provides guidance on how to apply the security best practices outlined in its CIS Critical Security Controls in a cloud environment. And the Cloud Security Alliance (CSA) offers a Cloud Controls Matrix that was designed to serve as a standard for cloud security and privacy. Neither of these frameworks will address every management and control issue that’s likely to arise in a real-world cloud environment, but both provide excellent starting points and reference guides.
A cloud security assessment can not only ensure that your cloud environment is properly configured and maintained but can also help you identify and repair any security gaps that might be present. Bringing in a trained and qualified expert will provide an unbiased perspective, which can give leadership and the board greater confidence in your cloud security posture.
If you’re beginning to build on the cloud, and you have questions about whether or not you’re doing it in a secure fashion, check out our Cloud Security Assessment and Advisory Services. Or schedule a free consultation with one of our cloud security experts today.