Vladi is Co-Founder & CEO of Lightspin, empowering cloud and security teams to eliminate risks to their cloud and Kubernetes environments.
I recently spoke to a CISO at a large FinTech company who told me that at his organization, everything they do is about time-to-market. This is reiterated by the 63% of CEOs who believe that cyber risk might be affecting their growth and slowing them down.
This focus on speed isn’t surprising, of course. We all want value yesterday. What I found interesting to consider is that this approach could be a great way to understand the changes we’re seeing in cloud security.
Security Tools Are Coming To The Rescue Too Late
Ask yourself a simple question: If you were baking a cake, and you had reached for the salt instead of the sugar, when would be the ideal time to find out about it? Once the cake is plated up and being served to your guests, or while you’re still preparing and mixing the ingredients?
The answer is obvious, and yet with cloud security, too many organizations are still relying on cloud workload protection platforms. These can only alert you to security gaps after the fact, once the attacker is already in your environment. And for all intents and purposes, by that time it’s too late.
As all the issues start at the deployment stage, why wait until production to start sending notifications and alerts? By this point, the attacker has established a foothold and may even be making lateral moves across your network.
Make It Easier On Yourself By Shifting To The Build
There’s no doubt that security and DevOps have history. It’s always going to be a tricky relationship — the balance between innovation and caution. Security often gets a bad reputation for asking for a new deployment as a result of a false positive, while DevOps may be accused of sacrificing best practices for the sake of speed. However, there are many moments of frustration that you can all but eliminate if you sharpen up your processes and help the two teams work in tandem.
As pointed out in a recent Gartner report, (via Industry Week), only 30% of companies currently take “cross-organizational steps to drive a business-led approach to digital risk.” In contrast, I believe that when teams can come together and work as a unit, this is where we can see a real impact on reducing risk.
That’s why cloud security should enter the scene at the earliest possible stages — not in deployment (and of course not in production) but at the build stage. When your security issues are being flagged at the deployment stages, it’s always going to be harder to get DevOps to address them. It’s the equivalent of trying to pick out every grain of salt from that mixing bowl and replacing it with sugar.
Pointing out a problem during the build stage offers DevOps a much simpler fix. It’s like alerting the chef that they’ve grabbed the wrong ingredients while they are still preparing the recipe. At this point, DevOps is already in troubleshooting mode. There are technical problems to fix already, and so adding some security tasks to the mix is not a big deal. Misconfigurations and vulnerabilities simply get added to the list alongside resource and limits problems or any other bug in the code. One example of a process change could be to allow Dev teams to add security parameters to automated unit tests, for example. This makes security checks just one of many DevOps issues to strike off their to-do list before a product or update is ready to go live.
Put DevOps And Security On The Same Team
As well as speeding up secure deployment, this approach has a number of additional benefits. First, mitigation and policy enforcement is much easier during the build process. For DevOps, you’re not disrupting their work once they feel it’s complete, and for security, you’re allowing their value to be more than just tacked on as an afterthought. In turn, this strengthens and improves the relationship between the two teams and allows them to work as a cohesive unit.
It also removes the reliance on after-the-fact cloud workload protection platforms and moves the conversation to improving cloud security posture management overall. As a result, you have a more secure cloud environment, happier, more collaborative teams and quicker time-to-market for the latest features and releases.