One of the main challenges that I’ve heard voiced in discussions among CIOs recently involves the perceived lack of visibility into application security in the Cloud. The shift to software-defined infrastructure, including security and networking, along with the evaporation of the network perimeter means that you can no longer “see” your application security controls, infrastructure assets such as hardware firewalls, and network security appliances.
For many CIOs this feels like driving a car without a steering wheel. But adapting to this new reality and learning that you can get where you need to go without traditional application security controls is essential to success in the world of software-defined everything. You just need to learn how to manage security from the inside out, and while this type of x-ray vision may sound difficult, it’s completely achievable.
The Need for Context, Not Control
The shift away from a control-based mentality is a significant component of cloud application deployment and in its place, IT leaders must adapt to a context based approach for overall resource management. To do so, it’s important to remember that the security perimeter in a cloud environment is elastic in nature. This means that application security needs to be thought of in terms of the behavior of the overall application infrastructure, and the context in which that behavior occurs, not in terms of appliance placement and strongly defined network segmentation.
In the secular shift to “Everything as Code” that’s occurring, infrastructure is now defined and deployed with reproducible templates, and the same approach is being taken with application security. As a result, application security policies can be finer-grained than the broader network based controls. Plus, these policies are much more adaptive because they can be updated without taking significant downtime or affecting other parts of the application infrastructure. Overall, this can lead to a much more secure environment in the long run. The policy based approach to security helps ensure that core security concepts are followed, such as “defense in depth” and “least privilege principle.”
Continuous Hacking Requires Continuous Testing
With the development methodology shift from Waterfall to Agile, along with the move to continuous integration / continuous deployment (CI/CD) processes, the velocity of application updates has greatly increased. However, while new code is being rolled out continuously, security testing is still happening on an ad hoc basis, leaving applications vulnerable to attack between the time they’re updated and when scanning occurs. While Hackers take a continuous approach to scanning for vulnerabilities and exploits, security teams need to start taking that same approach and “shift left” to be part of the software development life cycle (SDLC). Cloud infrastructure makes it very easy to spin up new VMs or containers, which means that security measures need to be adaptive, not rigid. Changes in the overall environment need to be verified in real-time with proactive, not reactive solutions.
By following these best practices, DevSecOps teams will have the x-ray vision they need to manage cloud security from the inside and along with it, a greater level of assurance that their cloud infrastructure and applications are secure. Putting a comprehensive “security fitness” plan in place as part of the digital transformation initiative also enables future application deployments to be fluid and successful.