As security “shifts left,” we need to arm engineers with automated security delivered as code, so they can effectively protect our public cloud infrastructures, writes Bridgecrew CEO Idan Tendler.
It is well known, as more and more applications move to the cloud, it is getting harder and harder to ensure that cloud environments are secure. To address cloud security, we need to embed security within cloud based services and applications. But this shift in deployment has profound implications for organizations. That’s why we also need to recognize that the responsibility of mitigating cyber risk on public cloud infrastructure is shifting responsibility from traditional, centralized security teams to more distributed software engineering teams. This transformation requires us to change the way we think about, build and deploy security.
Cloud Infrastructure Security: Developer First
In 2020, we are at a tipping point for mass cloud adoption. Still, a gap exists today between our ability to detect cloud security risks, such as misconfigurations, and our ability to remediate them quickly. Better yet, we would like to be able to prevent these attacks in the first place – and at scale.
Unfortunately, many of the services and applications that are being created for the cloud are the products of a rapid development process that leaves security behind. Conventional security tools and processes are ill suited to continuous integration and continuous development (CI/CD) provisioning practices. Practically, this means that when a problem is detected in the cloud – and thankfully, detection is becoming commoditized – the burden of addressing that issue is passed to engineering- not security- teams to address. But engineering does not have the time or tools at their disposal to try to figure out what the best solution is to fix the errors, violations or misconfigurations in the public cloud infrastructure.
This skills- and tools gap produces delays and remediation bottlenecks. It ends up putting engineering and security at odds and potentially leaves IT environments open to exploit. This tension is frustrating for all involved: security teams, compliance and, of course, engineering. Worse, because it is left to the engineers, security is often applied inconsistently. One engineer on the team may solve it one way, while another takes a different approach. This lack of standardization makes it hard to apply a strong security stance throughout the public cloud.
Public Cloud Security: Engineering’s Problem and Opportunity
Security is no longer in the hands of traditional security teams, but rather the responsibility of anyone who has a part in building and maintaining all these cloud environments. We need to think in terms of DevSecOps and engineering and start creating solutions that can be used to secure any service or app.
This shift requires a different set of tools and deployment models, which make it easy for everyone to implement effective security at scale. What is required is a way to equip engineers and developers with solutions that can quickly and effectively close any holes and embed security directly into any application and service. In other words, the cloud needs codified security.
Why codified security works
When security adopts modern development techniques, such as Infrastructure-as-Code (IaC), the benefits flow. For one thing, it becomes far easier for developers and engineers to quickly apply remediations and fix code issues. More importantly, development organizations can preempt issues during the build-time to shut the door on attackers. Even playbooks can be delivered as code to automate the deployment and ongoing management of security workflows, so anyone, anywhere can use them.
Consider how fast an organization’s infrastructure grows and changes. The long list of cloud security lapses makes clear that holes and misconfigurations are likely to be created every day. That’s why it’s not enough to automate remediation tools. Security engineers will constantly be frustrated if they have to remediate the same misconfiguration in AWS that they fixed in run-time just a week before. The most effective and scalable way to fix violations in the public cloud by engineers is to provide Infrastructure as Code (IaC) tools they can use in the build-time. By preventing misconfigurations early in the CI/CD pipeline, the burden of security engineering is drastically reduced, while the security and compliance of the environment is dramatically improved.
A Game Changer
We’ve seen when we are able to provide fixes, playbooks and remediations as code, organizations are able to address almost 90% of the open violations in their public clouds within a few hours. Better yet, they are able to include codified security in their CI/CD processes, during build-time, at the IaC level, to ensure a stronger security stance from the start.
That’s a game-changer. We at Bridgecrew are excited to be in the front of this codified security movement which will enable security to finally match the speed in which services and applications are being developed and business gets done. I invite you to join the movement of codified security, so we can take full advantage of all the cloud has to offer, safely and securely.