Can you ensure cloud-native application protection without slowing innovation?

Gartner® recently published research that shares best practices for successfully achieving public cloud security and compliance without restraining innovation and agility. Gartner report, “Quick Answer: How Do Successful Cloud Adopters Balance Security and Innovation?,” is the result of direct in-depth interviews with organizations who:

  • “Consider themselves generally successful with public cloud
  • Have adopted a public cloud for at least three years
  • Have significant deployment of both SaaS and integrated IaaS and PaaS
  • Spend at least $500,000/month on public cloud integrated IaaS and PaaS”

Too much or too little control?

As organizations migrate applications to the public cloud, they must evaluate the pros and cons of applying too much or too little control. Enforcing traditional, rigid, and manual security processes slows innovation and undermines the leading cloud business driver. However, not doing enough to prevent and detect vulnerabilities leads to unacceptable security and compliance risk. The following figure illustrates these opposing control methods and the steps required to balance the needs of both:

According to Gartner, “Successful cloud adopters focus on establishing the “right” security foundation upfront coupled with more automation. This quick answer focuses on three such best practices, a combination of which is commonly observed with successful cloud adopters:

  1. Split environments between disconnected cloud environments for experimentation and production environments with tighter controls.
  2. Inject security and compliance during application onboarding by including security and compliance assessments and requirements processes.
  3. Implement cloud platform operations that automatically apply security rules and controls as part of the deployment process.”

While these best practices provide a high-level framework for successful cloud adoption, how will you practically implement and operationalize them? And given a new security as code paradigm, do you have to accept the status quo of compromising security for innovation or vice versa?

Read on to learn how Concourse Labs enables you to operationalize these best practices through security as code, and how to meet your time to market needs without compromising on your security and compliance standards.

Split Environments for Experimentation & Production

While both security and development teams want what is in the best interest of their respective company, as Gartner points out, their primary motivations are often at odds with one another. “In most organizations, security teams find it hard to let go of traditional approaches to security, both technical and procedural. This often leads to frustration between developers (and other cloud consumers) and security teams. It can also be a driver for shadow IT. Both have valid arguments: cloud consumers want to increase their speed and freedom to develop and innovate, security wants to protect sensitive information and infrastructure.”

Organizations sometimes segment environments to help strike a level of balance. Developer sandboxes are used to freely innovate with few security controls, while production environments get stricter policies, often at the expense of speed and agility. But how can you ensure the proper controls for each environment?

With Concourse Labs’ security as code architecture, and our Risk Surfaces™ technology you can apply different automatable policies for sandbox and production-level stages of an applications, while ensuring a core set of global requirements are met, regardless of stage. This eliminates false positives and risk from over permissive controls, dramatically improves incident response times and lets you stand up a security-compliant and customized developer sandbox in minutes.

Inject Security and Compliance During Application Onboarding

Most cloud breaches stem from misconfiguration of cloud services, not attacks on the underlying infrastructure. However, existing cybersecurity tools are not designed to prevent, detect, and correct cloud misconfiguration comprehensively across build time and runtime environments, and at the pace at which cloud applications are delivered or changed.

Shifting security left is not a new concept. However, it has faced significant challenges:  First, every company of scale has a variety of development tools and standards; finding a way to secure all of them has been hard. Second, the shift-left experience has been invasive, disrupting developers’ workflows and making for an inefficient and disruptive experience.

Concourse Labs’ security as code architecture is predicated on the notion that security should be viewed as an integral part of the entire software development lifecycle (SDLC). We solve these shift-left challenges by defining enterprise standards as automatable policy, which can be applied uniformly across every DevOps toolchain. This lets guardrails be automatically injected to enforce policy directly within diverse IDE, SCM, CI/CD and production environments.

Integrated via simple API calls within the tools developers already use, Concourse shows developers both the policies, they are expected to enforce and whether their code is compliant or not, clearly, and instantly. We also provide developers with immediate remediation guidance to self-service violations and  bring application into compliance.

Implement Cloud Platform Operations

While there is no one way to successfully implement cloud operations, the one approach that is almost certain to fail is to split it up across several different infrastructure and operations silos, each with their own methodology and tools. Organizations who have successfully adopted IaaS and PaaS have taken a platform approach to cloud governance:

Gartner notes, “From our interviews, it was clear that many organizations have indeed implemented governance and cloud operations based on a platform approach. In the organizations interviewed, the platform consists of a set of rules, policies, and processes to consume services from a hyperscale provider. The organizations have set up a cloud platform operations team that works as a product team. Successful cloud adopters typically automate the request and deployment of landing zones in the form of AWS accounts, Azure subscriptions and GCP projects.”

Concourse Labs provides a unified platform and a single policy architecture for automating cloud security and compliance at every stage of the cloud application lifecycle. All cloud policies are created, managed, and evidenced within a centralized and authoritative repository. With Concourse, teams maintain complete visibility of controls, so everyone knows what is required to manage risk, while developers, operators and security professionals are empowered with always up-to-date risk, remediation, and compliance guidance.

Ready to start ensuring cloud-native application protection without slowing innovation? Click here for complimentary access to Gartner’s Quick Answer: How Do Successful Cloud Adopters Balance Security and Innovation?

 

Gartner, Quick Answer: How Do Successful Cloud Adopters Balance Security and Innovation?, 7 April 2022, Mario de Boer, Bob Gill

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from https://info.concourselabs.com/en-us/how-successful-cloud-adopters-balance-security-and-innovation