After talking with many information security managers and compliance officers over the last few years, a troubling picture is emerging. In the old days the security and compliance teams were powerful organizations, ruling the entire kingdom. They controlled almost all the processes and could pick their weapons of choice to defend the business. But then came the public cloud.
Now, DevOps strategies have become widely adopted and security teams feel that they are losing ground to the developers. Let’s face it today’s security teams are feeling threatened by the up and comers on the DevOps side. But in reality, what we have here is a chance to create the type of synergy that propels organizations into new levels of efficiency.
What’s really happening is that DevOps teams are finally taking on their share of the security responsibilities rather than throwing things over to the fence to traditional security teams. With proper management this doesn’t have to be a burden. In fact, you’ll come to see it as a blessing.
The age of DevOps and the public cloud
DevOps is a software development practice in which development and operations engineers collaborate during the entire product lifecycle. It’s quickly becoming a best practice for software projects because it boosts efficiency by increasing automation and collaboration.
DevOps allows for rapid development, as the development team assumes responsibility for the entire development cycle, including the deployment of new features in a production environment.
DevOps is taking over everywhere and the cloud is the reason for its expansion. Today we’re seeing development teams that own their own cloud account — often more than one. Many times the development team is responsible for the networking, maintenance and security of the environment. As a result, large organizations today find themselves owning hundreds of cloud accounts simultaneously.
Understanding the security configurations that are being applied to hundreds of accounts is a challenging task. But enforcing organizational security policies is beyond cumbersome, and guaranteeing compliance virtually impossible. And, if these challenges are not enough, we now see more organizations choosing the hybrid cloud approach. Governing Azure, AWS and GCP accounts together takes us into previously unseen levels of complexity.
No wonder security and compliance managers feel they are fighting an uphill battle.
A question of responsibility
If you thought that the cloud vendors would solve all the problems, think again.
Cloud vendors have introduced what’s called the shared responsibility model. Simply put, this means that the vendor is responsible for “Security of the Cloud,” while its customer is responsible for “Security in the Cloud”. This has created a false sense of safety for many cloud pros who think the vendors are covering more than they actually are. The problem is that shared responsibility doesn’t make security someone else’s problem.
As challenging as the role of a security officer has become, nothing has changed when it comes to accountability. It is still the CISO’s responsibility to ensure that the business is safe, and the CEO should hold him or her accountable for that. The CEO should also continue to turn to the CISO to get clear status reports when it comes to security.
The pressure is also on when it comes to the CCO. There may come a day when the dreaded auditor may pay a visit, and they’d better be able to produce a flawlessly compliant system. Not meeting the regulation requirements means heavy fines and labor costs to fix mistakes. No board would like that.
Just before these poor officers start looking for a career change, let me introduce some tools that can help.
Centralized Software-Defined Governance
The Dome9 compliance engine provides an easy way for organizations to check if they meet the demands of compliance standards. Whether it is PCI-DSS, HIPAA or other standards, the compliance engine provides an easy way to assess dozens of cloud environments with simple, customizable, human readable syntax of rules. This tool allows the compliance team to assess all the relevant accounts by using a “single pane” approach — meaning one window provides you with all of the relevant information and solutions.
As each organization generates internal policies, the security team can generate customized rules as well. Dome9 also provide best practices: bundles of rules that reflect the top industry recommendations for improving your overall security posture. Suddenly, enforcing security standards is a manageable task.
The Dome9 notification system allows users to send targeted reports as soon as a new finding is detected. Sending this information directly to the relevant team allows for rapid remediation. The notification system supports integration with AWS SNS, providing an easy way to automate notification consumption.
Injecting security and compliance into the CI/C
Governance is applied on live environments, but testing security definitions and compliance even before those environments are built is a powerful methodology.
Dome9 can assess a CloudFormation as if it were a live environment, detecting configurations that do not meet the required standards or best practices by using our CloudFormation assessment tool. Through API calls, developers can use this tool as part of their continuous integration or deployment processes. Based on the finding type or severity, it is possible to break the build or deployment process when needed. Because the assessment includes the reasons for failure, and usually also suggestions for improvement, fixing issues becomes a much easier task with far less guess work.
Locking down the cloud
While everything is being automated, sometimes manual labor is still required – whether it is debugging or the manual restart of a rogue process. A basic rule in security is “provide permissions only to those who need them”; and taking it one step further – “only when they need them”. It doesn’t matter whether you are a small startup, or mighty Facebook, “moving fast” is a bad excuse for punching holes in your own security.
Mapping users and roles is not a difficult task, but it would be better if the DevOps engineer could be granted access to the production servers only when he really needs it. Dome9’s IAM Safety is a powerful tool that allows the security team to lock down the account, and control the access in real time by “ad-hoc leasing” the permissions when needed, for a predefined time period.
IAM Safety allows the security team to be more involved in the release and maintenance process. This in turn reduces the chances of leaving security holes.
Dome9 can also control the Security Groups, making it mandatory to go through the Dome9 console to open new ports to traffic. By automatically reverting any changes made via the cloud provider console, the security team can be sure that only specific set of authorized persons can modify the security definitions through a single, centralized system.
Welcome to the new era of security
DevOps and CI/CD have introduced new challenges to enterprise security. Security and compliance teams that want to keep themselves relevant should adopt not only new tools, but new methodologies and, ultimately, new attitudes.
Baking security and compliance into the process provides brings efficiency and standardization to entire organizations. By using the capabilities that Dome9 provides, these teams can gain visibility into their networks and enforce security and compliance with ease. In short, they enter the era of DevSecOps