Cloud native technologies have the potential to truly change the way we access and secure applications, but the success of this relies on the people and processes in place to handle the roll out of these technologies. This requires appropriate leadership, and decision makers within an organisation who demonstrate robust cloud security leadership are more likely to see this filter down throughout the business.
The main priority for CISOs should then be to develop and implement both a culture and a strategy to proactively address security requirements throughout DevOps. Approaching this transition with a full lifecycle approach ensures that cloud native security is properly and effectively deployed. Companies that restructure their approach in this manner will be able to ensure that the cloud native technologies the CISOs, or other leaders, are planning to implement, can be used to their full potential.
The old approach
Cybersecurity used to be handled late in the production rollout cycle, often as the final step, which could slow processes down considerably. Indeed, this approach often caused large delays to the timeline for applications to move from development to live. The reason for this is that each team would be working in a siloed manner to ensure that they met their responsibilities, be it security, compliance or operations, and then only coming together at the end.
However, this is no longer appropriate, and responsibility must be shared much more widely across organisations, especially with regard to security decisions for cloud native applications. As they roll out these modern technologies, CISOs must consider the impact that they can have on their organisations’ security and compliance postures. There are many benefits that cloud native technologies bring to the table, such as flexibility, cost savings and scalability, but they also come with new security challenges.
CISOs must therefore reset their expectations from their existing tools and methods and adapt accordingly. The new security challenges must be properly addressed as part of the migration of applications from the data centre to the cloud. If this is done correctly, then regardless of the deployment model, be it serverless, VM or container-based cloud-native development, they can be secured to a much higher level than has ever been possible before.
The new approach
New technologies require a new approach and, generally, organisations are making an effort to converge DevOps and cybersecurity workflows to create a unified DevSecOps process. Each organisation will approach this differently. For example, some will allow security to “fail” a build and prevent images with known vulnerabilities from being pushed to the repository, whereas others will track and block the non-compliant images as they go along.
The DevOps world relies on speed which increases productivity and agility, but this also increases risk. This more unified approach ensures that security, compliance and IT are all involved from the beginning so vulnerabilities can be spotted more quickly. It is because of this that it is so important for leaders to work to change the business culture from one of siloed responsibility to collective accountability.
A key example of this is “shifting left” to secure the build process. Doing this ensures that risks are reduced early which prevents the need for time heavy reworking. Additionally, by securing the cloud infrastructure with automated posture management tools, even complex multi-cloud environments can be hardened and monitored. And by securing running workloads with real-time protection, it is possible to eliminate attacks that attempt to introduce malware at run time.
Another important step in creating a culture of cybersecurity and tech innovation is to focus on informing and educating developers about cybersecurity issues to avoid situations where code is prevented from being merged. By doing this, IT teams can hand over some responsibility to the developers and allow them to weigh cybersecurity risks against application development workflows and deadlines. This results in shared responsibility and frees up time for IT to deal with other issues.
These processes may appear time consuming but introducing these new technologies must come hand in hand with a new approach to cybersecurity. CISOs who recognise this and work to apply these steps towards creating a new security culture will be able to reap the rewards that cloud native security can bring when properly implemented.
Contributed by Dror Davidoff, CEO, Aqua Security
