Automating Cloud Native Security, at the Speed of DevOps

By, Trisha Paine, Head of Cloud Marketing Programs

Speed and cloud complexity makes security for modern application development increasingly challenging. Many organizations are now developer-centered, incentivizing developers to move fast. The time difference between when a piece of code is written and when it runs is shortening. In fact, nearly 60% of companies report deploying multiple times a day, once a day or once every few days. At the same time, the scope of the threat landscape is accelerating as we are accelerating cloud adoption, making security a challenge for DevSec.

Security must keep up, but often struggles and lags behind.

Security Must be Maintained At Developer Speed

Application developers are encouraged to move very fast. While some degree of mistakes are acceptable for developers, as they will be resolved as part of continuous release cycles, security teams are faced with pressure to always be right while also not impacting the developers.

Security teams do not have the ability to simply delay deployments, instead, they now must figure out how to enable developers instead of saying, “no,” or “wait.” Cloud security must get developer-friendly, integrated, and transparent. This means that organizations must figure out how to work with developers and the DevOps automation culture in order to still deliver secure, continuous release cycles – and quickly; security automation, everywhere is key.

Automation is Crucial for Application Security

Getting control of your cloud environment requires security to be automated.

With developers releasing updates so quickly, they are also distributing risks immediately. Security protections must follow the same automated path and self-publish. Those protections must take the same path and speed as development, working with development toolchains that automatically enable posture checks and protections without slowing things down. 

As Marco Rottigni, chief technical security officer EMEA, Qualys, tells Computer Business Review, “Developers should be empowered with plug-ins that trigger security and compliance controls at every step of the DevOps process, exposing the results right within the tools they commonly use to enable rapid remediation of the vulnerable code.”

In addition, remediation steps must be automated whether to fix issues or streamline security processes. Enable developers to do their jobs securely, without adding work, like providing tools to automate tasks, such as generating permissions for serverless functions. Take steps to remove friction.

Automation & The Future of the Role of Security Analyst

A recent study of 1,027 US and UK IT and IT security practitioners conducted by the Ponemon Institute reveals that while automation will improve productivity, the human factor is still important. “Seventy-four percent of respondents say automation is not capable of performing certain tasks that the IT security staff can do and 54 percent of respondents say automation will never replace human intuition and hands-on experience.”

Automation should be seen as an evolution that will allow security teams to focus on more strategic projects. A recent post on Dark Reading shared five tips for you to hone your skills to stay well ahead of the automation curve and evolve your role.

Automation + Humans for The DevSec Win

In order to optimize modern application security, DevSecOps best practices and team dynamics need to evolve with automation.

Nigel Kersten, Puppet’s field chief technology officer, stressed the importance of deploying automation at scale in DevSecOps practices. “There are a few common errors we see that enterprises are facing – the biggest one is trying to implement DevSecOps without scaled automation that is well understood and trusted by all the relevant stakeholders.” Kersten continued, “Without that, organisations will end up with the same manual processes and the same conflicting incentives. Then, instead of DevSecOps, these businesses are left with just Dev, Sec and Ops.

Gina Smith, research manager at IDC Asia, stated, “Old security processes that put security at the middle or end of the process are just too expensive and inefficient now.” Smith continued, “Building security planning, testing and monitoring into every phase of the DevOps pipeline is about bridging the age-old division – and enmity – among developers, IT and security.”

Having cloud native security solutions that are tightly integrated with a development and operations process and tools will be key in helping move towards a more DevSecOps operating environment.

When done effectively, this combination is a true win for security. The 2020 State of Pentesting report examined which security vulnerabilities are found reliably using machines versus human expertise. “The study found that both humans and machines bring value when it comes to finding specific classes of vulnerabilities. Humans ‘win’ at finding business logic bypasses, race conditions, and chained exploits, according to the report.”

The truth is organizations of the future will require teams and technology to be working in unison.

Cloud with Confidence

Organizations need to evolve automation tools and the manner in which teams operation in order to address the unique security needs of modern cloud applications. Automation tools need to be integrated early into the development cycles to address security and compliance issues prior to deployment, with the ability to automate runtime security assessments to prevent threats. This will not only improve security but also development cycles.

Check Point CloudGuard provides cloud native security for all your assets and workloads (e.g. serverless and containers), across multi-clouds (AWS, Azure, GCP, VMware), allowing you to automate security everywhere, with unified threat prevention and posture management. The only solution that provides context to secure your cloud with confidence.