Balancing Speed and Security in the Cloud

July 22nd,2020

Goals of a Secure Cloud Environment

On the cloud, you can ship new products faster than ever before. Complex hardware and software services, from mass storage to machine learning algorithms, are available to businesses on-demand.

In an environment of rapid development, security is often easily overlooked, only considered retroactively or when it is too late. The primary goals of a secure cloud system are to:

• Enforce an organisation’s security policies, including risks arising from data privacy, financial regulations and internal risk assessments

Maintain high visibility of the environment, tracking and reporting on policy violations through continuous auditing

• Keep developers happy; Support the creativity and work of product developers instead of blocking them with monotonous security tasks

Shifting Left

To achieve these goals, security concerns are considered as early as possible in the development lifecycle, catching issues quickly and minimising delays. This is the concept behind ‘shifting left’: building security testing and auditing into CI/CD pipelines, rather than performing them in late security reviews before release.

Weaving strong security practices into your development processes allows you to be risk-averse, whilst staying agile and releasing complex features at a rapid pace.

“By better integrating information security (InfoSec) objectives into daily work, teams can achieve higher levels of software delivery performance and build more secure systems. This idea is also known as shifting left, because concerns, including security concerns, are addressed earlier in the software development lifecycle (that is, left in a left-to-right schedule diagram).” - Google Cloud

Policy Enforcement

Automated testing is a popular DevOps technique that enables teams to protect code reliability and integrity through repeatable programmatic testing.

Testing the code throughout regular development builds helps to minimise interruptions and catch security vulnerabilities as soon as they arise. Deep scans and tests look for breaches of organisation-specific security policies, such as access management settings, alongside well-known issues such as insecure library versions.

For developers, automated security testing shortens and enhances the feedback loop so they can quickly address issues after they are introduced to code. Tests written before, during and after the initial release are continuously applied, protecting both current and future releases from known issues, even as developers come and go.

Cloud platform tooling is also available to enforce post-deployment policies during runtime, such as blocking command-line access and setting networking rules.

High Visibility

Once effective policies are in place, a security platform needs to be built to monitor vulnerabilities, describe risks (such as by assigning CVSS scores) and permit deeper investigation into policy violations.

With the cloud, an abundance of tooling, both official and third-party, is available to simplify the operation of risk assessment. For example, Sysdig integrates with cloud providers and CI/CD software to provide a unified interface. Sysdig logs and presents security issues, handling notification and facilitating a deeper look into the sequence of events when a violation is detected.

Leveraging the Cloud

Greater security can be obtained with cloud services compared to traditional data centres. Cloud computing’s inherent advantage is that world-class teams centrally manage the complexities of physically securing hardware and datacentres.

Organisations, therefore, need to take responsibility for the other half of the security equation: properly utilising services and developing good software.

Want to know more?

Tune in to our on-demand webinar 'Cloud-Native Security at Speed', where we discuss the effective and practical ways to secure cloud-native workloads, while dramatically improving the speed of development.