Three Keys to Getting Security-As-Code Right

Over the past decade, we have witnessed tremendous growth in public cloud adoption. This trend will undoubtedly continue to accelerate as organizations rethink and retool their businesses and digital footprints. As cloud usage grows, so too does the number of available cloud services and their complexity. But public cloud is not just a collection of new technologies; it is a new operating model that many organizations now rely on to modernize their businesses.

But with all the benefits that cloud bestows, it also brings fundamental, inherent security and operational risks that are very difficult to solve, even for the most sophisticated and mature security and risk teams. Being in a public cloud means that you have a public set of challenges, and the inherent risk of cloud is high. And while business leaders forge ahead with ever-faster innovation to capture market- and mindshare, security and risk management teams struggle to keep up.

Public Cloud Breaks Traditional Security Architectures

Traditional security and risk practices are quickly becoming obsolete in the face of increasing and rapid public cloud usage. Most cloud breaches are caused by misconfiguration, not attack on cloud infrastructure. In fact, a recent IBM study found that two-thirds of cloud breaches involve improperly configured cloud services1. However, traditional security architectures were not designed to secure modern cloud technologies, nor have they kept pace with the aggressive investments many have made in automated DevOps practices.

To complicate the equation, more staff across an increasing number of teams are stakeholders in cloud security and risk governance. This is due to the decentralized nature of public cloud.

A new approach to cloud security is needed, one that provides verifiable security and risk compliance of cloud applications and workloads and does so at the speed at which modern businesses must operate. This requires an agile model that enables the continuous evaluation of risk and the ability to assess and mitigate risk simultaneously across a variety of different control planes.

Security-as-Code: The Most Viable Approach to Cloud  Security

Security-as-Code transforms the current security model from human-driven, ambiguous, and intermittent to an agile, technology-driven, explicit, and continuous model. In this new paradigm, security and risk practitioners can constantly adapt to the never-ending stream of risks brought on by the continual evolution in cloud services. As a result, business operations in cloud become increasingly agile as well.

Security-as-Code is the practice of instantiating or expressing security and cloud control objectives in code to orchestrate their application and automate manual security and compliance processes at scale. It is the progression of applying modern technology to improve effectiveness and efficiencies in securing public cloud services. The benefits of declarative artifacts and controls have become clear within DevOps practices. It is time for security and risk teams to embrace these concepts now that most organizations have moved beyond just provisioning and building clouds to ensuring their security and safe operation as well.

Security-as-Code is predicated on the notion that security should be considered an integral part of the software development process. Within this guiding principle, it is therefore highly advantageous to treat security controls the same way we treat other forms of source code. This way, cloud controls can be created, applied, managed, and audited in a manner that is consistent with how cloud services are increasingly being built and deployed.

Three Principles of an Effective Security-as-Code Program

In my experience developing and implementing Security-as-Code programs within Goldman Sachs and advising large cloud-forward enterprises, I have identified three principal tenets that are critical in achieving a robust, scalable, and agile security program to meet the increasingly complex and changing needs of public clouds.

1) Establish Clear Ownership and Accountability

The first principle necessitates a focus on ownership and accountability and having an internal structure to map people and roles to specific problems. Defining ownership or control can be difficult, especially within complex organizations that operate over many different regions, jurisdictions, divisions, or teams.

Responsibility is very much a team effort, and defining and managing roles is essential to simplifying the management of security and risk across an enterprise.

2) Design and Manage Codified Controls

The second principle involves the design and management of control objectives that will solve the set of discrete problems identified. When doing this, it’s best to keep the codified controls separate from the application and cloud services code they will govern. This enables security policy to act independently and adapt to changing needs without requiring development’s involvement.

Write policy content that is sufficiently detailed to meet cloud control standards, along with the ability to manage an expanding inventory of codified intellectual property. These are cornerstones in building a successful Security-as-Code program. All software requires ongoing maintenance and nurturing. Ensuring a well-defined lifecycle from control definition to software implementation is required to facilitate trust and agility in Security-as-Code artifacts.

3) Apply Cloud Security Controls Comprehensively

The third and final principle entails moving from a security and risk approach that applies controls through a single control plane to an approach where APIs are used to inject security seamlessly across as many parts of the SDLC process as practical.

This comprehensive approach enables the enforcement of cloud security guardrails during development, within CI/CD pipelines, and in runtime to identify risks associated with drift, attack, and misuse. Organizations will also be able to continuously audit cloud services and workloads for security, resiliency, and regulatory compliance and establish a common framework for visibility, control, and collaboration across multi-cloud environments. Agile and automatic policy enforcement within dynamic workflows provides a solid foundation for securing the use of public cloud services.


Security-as-code represents a significant cultural and technological shift for most organizations. It requires people, process, and technology changes that may be orthogonal to existing approaches and can be disruptive during early stages of adoption. However, security-as-code is necessary for safeguarding the increasing complexity of public cloud consumption. While developing a program requires careful thought and clear leadership, it has proven to yield exponentially greater results than traditional security approaches. And it is the only viable approach for ensuring the security and compliance of cloud configuration, particularly at the skyrocketing pace at which businesses expect to deploy cloud applications and workloads.

Want to learn more about the keys to a successful Security-as-Code approach? Watch this on-demand webinar today!

[1] Source: 2021 IBM Security X-Force Cloud Threat Landscape Report:

Related Resources

Learn more about one policy architecture and Concourse Labs.