When security teams find cloud vulnerabilities and misconfigurations at runtime, they are often blamed for introducing friction into the continuous integration/continuous delivery (CI/CD) pipeline and stifling the enterprise’s ability to innovate as efficiently as possible. But it is not the fault of the security team; rather, it is the broader approach that limits the involvement of security until it’s too late. When put in this position, the security team must scramble to find the fault, determine the root cause, track down the right person and work to develop the remedy, and then ensure the fix is implemented correctly. All of this chaos occurs while the DevOps team grows impatient because they want to deliver…well, continuously.
This type of cloud security is far from ideal because it creates tension, and also because it perpetuates inefficiency. Security issues and risks that originate from one developer will likely resurface over and over. At scale, it’s exceedingly difficult for security professionals to keep pace with developers, who usually far outnumber their security counterparts. Each time a problem is solved, another emerges, and the failure to apply lessons learned in a thoughtful way perpetuates such problems. All of these factors contribute to an unsustainable cloud security posture.
To be clear, detecting and correcting misconfigurations, vulnerabilities, and compliance and policy violations at runtime is a necessary part of every cloud security strategy. In fact, real-time remediation, through automation, is an essential component of a comprehensive cloud security strategy. Automated remediation can perform actions like reconfiguring cloud services, making changes to cloud infrastructure, driving human-centered workflows with integration into systems like ServiceNow and Jira, and orchestrating workflow actions in other security and management systems. Automated remediation allows security teams to concentrate on issues that require special attention while ensuring routine issues are resolved efficiently.
Enterprises that approach security throughout the lifecycle, through both remediative and preventive measures, will be far more secure and productive. But what is preventive security?
To us, one form of preventative security means shifting security “left” into the CI/CD pipeline, thereby allowing security professionals to evaluate the risk of Infrastructure as Code (IaC) templates before they are built. By shifting left, security professionals can prevent misconfigurations and policy violations from occurring and deliver better experiences to developers. Engaging developers in the cloud security process during CI/CD, via DevSecOps, reduces friction related to security, speeding up developer efforts and making developers more likely to participate and therefore improving security. By solving problems in IaC plans and templates, security professionals stop problems from ever happening and improve efficiency by correcting issues holistically rather than fixing them repeatedly at runtime. The result: improved cloud security and improved developer productivity.
Preventative security means taking a proactive approach to cloud security, with the ultimate goal of preventing the introduction of vulnerabilities and risk into a cloud infrastructure. To help achieve this proactive posture, enterprises should invest in tools that provide full visibility into those components of their cloud ecosystem. Knowing all the resources, services, and tools that make up an organization’s full cloud footprint and understanding how these things interact is the foundation that equips security teams with the ability to provide developers with meaningful guidance and safeguards. By delivering this guidance in developers’ native environments through tools that they already use, security teams are able to steer developers toward compliance and security without discord.
When enterprises combine remediative and preventive cloud security, they are safeguarding the CI/CD pipeline from end to end, thus achieving full lifecycle cloud security. But the benefits go beyond achieving continuous security and compliance. A holistic security strategy will serve an enterprise in many more ways. We’ll discuss these advantages in part 2.