Securing DevOps: The ABCs of Security-as-Code

Cybersecurity Built for Public Cloud

Traditional cybersecurity architectures and models break down when applied to public cloud. Most public cloud breaches stem from misconfiguration of cloud services, not attacks on the underlying cloud infrastructure. However, existing cybersecurity tools are not designed to prevent, detect, and correct cloud misconfiguration, and certainly not at the speed and scale of public cloud. As a result, companies are in the unenviable position of having to either throttle back cloud innovation or blindly accept the risks of moving applications to public cloud. Neither of which is good for business.

Securing public cloud requires a cybersecurity architecture that is built like the cloud. Today, many cloud application developers use software-defined tools, such as infrastructure-as-code (IaC), to provision cloud services. IaC automates cloud services delivery, creates consistency with service configuration, reduces human error, and creates accountability and traceability of any changes.

Likewise, public cloud security needs to be based on an architecture that automates security reviews, provides consistent policy across the entire cloud application lifecycle, minimizes human error, creates unambiguous results, and enables cybersecurity to be managed across its full lifecycle.

Introducing Security-as-Code

One such architecture that is showing promise is Security-as-Code. As its name implies, Security-as-Code instantiates security and control objectives as code, and automatically applies them to ensure public cloud services are configured and used properly. It is predicated on the notion that security should be considered an integral part of the software development lifecycle (SDLC) and treated like other forms of code. This way, cloud security controls can be created, enforced, and managed at the same speed and scale that automation has made possible for the delivery of cloud infrastructure services.

McKinsey summed it up nicely in their seminal report, “Security as Code: The best (and maybe only) path to securing cloud applications and systems”: “Too often, security is viewed as an obstacle to cloud adoption. What should be a frictionless deployment process with security embedded at the outset becomes weeks or months of back-and-forth between developers, infrastructure, and security as they try to shoehorn cloud deployments into legacy security mechanisms. Lengthy approvals ranging from third-party assessments to firewall changes not only decrease the overall value proposition of the cloud but also increase the need for risky policy exceptions to accommodate business requirements.” 

Using a Security-as-Code architecture, companies can fully automate cloud security reviews and ensure cloud data stores are properly encrypted and key material is secure. They can know which cloud services are exposed to the public internet, detect shadow cloud resources, remove excessive permissions, and much more. All without slowing cloud innovation.

The Key Benefits 

Security-as-Code provides a number of unique benefits that are not achievable with traditional cybersecurity models. (1) Speed: Security must move faster than ever before if businesses are going to capture the full benefits of public cloud. Because security policy and controls are expressed in code, they can now be automatically applied, returning results in minutes not months. (2) Persistence: With the rate at which cloud development moves, security must be ‘always on.’ Security-as-Code can be embedded at every stage of the cloud application lifecycle – within development, delivery, and at runtime – assuring consistent control everywhere. (3) Manageability: Security and compliance standards can be built, operated, and managed as first-class citizens within a GitOps-style environment for policies, controls, and associated permissions. And security can achieve cloud-scale with centrally managed security governance and federated security enforcement and remediation. 

3-Principles for Success

Don Duet, Concourse Labs co-founder, recently shared his views. “In my experience, developing and implementing Security-as-Code programs within Goldman Sachs and advising large cloud-forward enterprises, I have identified three principal tenets that are critical for achieving a robust, scalable, and agile Security-as-Code program to meet the increasingly complex and changing needs of public clouds.”

 1. Establish Clear Ownership and Accountability 

The first principle necessitates a focus on ownership and accountability and having an internal structure for governing roles, responsibilities, and permissions, such as who can author policy and for which parts of the cloud estate. Many companies make the fatal mistake of jumping into technology implementation and skipping this step. Responsibility is very much a team effort, and defining and managing roles is essential to simplifying the management of security and risk across an enterprise. 

 2. Design and Manage Codified Controls

The second principle involves the design and management of control objectives that will solve a discrete set of identified use cases. Write policy content that is sufficiently detailed to meet cloud control standards, along with the ability to manage an expanding inventory of codified security intellectual property. Ensuring a well-defined lifecycle from control definition to software implementation is required to facilitate trust and agility in Security-as-Code artifacts.

 3. Apply Cloud Security Controls Comprehensively 

The third and final principle entails enforcing security gates and guardrails everywhere it’s practical. Use APIs to embed security within source code management tools, CI/CD pipelines, and runtime environments. Continuously audit cloud services and workloads for security, resiliency, and regulatory compliance. And establish a common framework for visibility, control, and collaboration across multi-cloud environments. 

Learn more in Don’s blog: Three Keys to Getting Security-as-Code Right

With Security-as-Code, companies now, for the first time, are empowered to achieve the same level of self-service for governing and securing public cloud that they have with the development and use of the cloud itself.

Want to learn more about getting started with Security-as-Code? Watch Don’s introductory webinar, Security-As-Code for Cloud.

Related Resources

Learn more about one policy architecture and Concourse Labs.