The Path to Security as Code One Company’s Journey
Companies everywhere are moving to the cloud. But they struggle to ensure their security, to comply with regulatory standards, and to protect themselves and their customers from data breach or disruption. Yet the pressure to migrate to cloud continues unabated, and with little tolerance for slowing innovation to get control of cloud risk.
A new approach is needed, one that automates security and compliance across the entire cloud application lifecycle, prevents breaches before they can happen and immediately identifies drift and attack in runtime environments.
As the name implies, Security as Code encompasses the creation, enforcement, remediation, and lifecycle of security, as code. It is predicated on the notion that security should be viewed as an integral part of the software development lifecycle (SDLC) and treated like other forms of code. This way, organizations can achieve the same level of automation for governing the security and compliance of public cloud usage that they have with the development and delivery of the cloud itself.
When referring to their adoption of security as code, I typically hear organizations say, “we are on a path to security as code,” much like how they refer to their journey toward zero trust. Here is one such company’s story.
One Company’s Security as Code Journey
A large, publicly traded financial services firm embarked on an aggressive infrastructure transformation program that served as the catalyst for its migration to public cloud. As part of this, the company established a modern delivery program for building dynamic agile infrastructure and dynamic applications, redesigning monolithic applications, and deploying them as microservices in the cloud.
The company experienced numerous security and risk management challenges at the onset:
“People were used to doing things a certain way and they just continued trying to do things in that way when we moved to the cloud. People thought we could just bring existing processes forward and it just didn’t work,” said the organization’s VP of Technology Strategy.
Given that cloud poses a number of new risks, one of the firm’s early goals was to move from a purely reactive to a preventative posture where risks are identified within development, before they are deployed. “No matter how you configure a NAS device running in your data center there is no command you can give to say that I am going to make this thing world accessible. There are just too many layers between that device and the outside world. In Amazon it is just one S3 bucket misconfiguration and your data is out there in the world.”
Using a Security as Code approach, the firm decided to address security and compliance in its cloud delivery pipeline. Using infrastructure as code to configure and provision their cloud services, the organization began implementing automated policy checks within CI/CD. After about nine months, they determined that it was critical to shift further left and check for cloud misconfigurations as developers commit and merge infrastructure as code within source code management tools like Bitbucket and GitHub.
Now, after more than a year into their Security as Code journey, the company can count on every developer across its 40+ cloud application teams to automatically validate their infrastructure as code against the latest security and compliance controls. And that the firm can rapidly and safely deploy applications without disrupting developers and give security teams a complete view of cloud risk early in the application lifecycle.
“We would have had to increase our security staffing budget by $5,000,000 to cope with our cloud migration plans,” had they not chosen Concourse.
Three Keys to Successful Implementation
Establish Security as Code Governance: The first key necessitates a focus on ownership and accountability and an emphasis on having an internal structure for policy governance.
Design and Manage Policy as Code: The second key involves the creation and management of automatable policy. Ensure policy is written with sufficient detail to meet control objectives and remove policy ambiguity and failure by versioning and tracking every change.
Apply Controls Comprehensively Across Cloud Lifecycle: The third key entails enforcing automated security and compliance guardrails at every stage of the cloud application lifecycle, to prevent non-compliant code from being deployed and immediately detect drift and attack in runtime.
Watch Now: The Path to Security as Code: One Company’s Journey
Watch Now: Solving the Cloud Dilemma: 4 Tips for Operationalizing Security as Code