Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Security Into Your Cloud IT Practices


Published on

Published in: Software
  • Be the first to comment

  • Be the first to like this

Building Security Into Your Cloud IT Practices

  1. 1. BUILDINGSECURITY INTOYOURCLOUDIT PRACTICES Expert advice on aligning security with DevOps. Sponsored by
  2. 2. 2 INTRODUCTION In the real world of cloud infrastructure, much that happens is driven by business needs. Businesses face competitive pressures that require them to continually optimize customer experience, move quickly into new markets or release new products, and integrate their operations with those of partners, customers, or acquired businesses. This puts a lot of pressure on IT managers and developers. Coders are often incentivized to build fast, but not necessarily to build securely. At the same time, the risks of running vulnerable infrastructure are rising. How do IT professionals address the need to build it safer? To find out, we asked our security experts the following question: How can you make security an embedded discipline within your team? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I
  3. 3. 3 FOREWORD Build Security Into Your DevOps Practices Use cases across the different types of companies that operate workloads in the cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility, and scale are cited as reasons why organizations decide to use the public cloud. However, the ability to move at the speed of today’s technology innovation comes out on top more often than not, time after time. Many organizations can get so focused on pushing product that security takes a backseat. The result is inadvertent vulnerabilities in the underlying infrastructure that get missed. When that happens, and it happens a lot, companies, products, and users are exposed. Speed tends to be the focus for DevOps, but to truly implement and manage DevOps effectively within an organization, it has to have a more comprehensive approach from day one. A framework needs to be created that certainly emphasizes speed and pushing product fast, but it has to also include a cultural and technical approach that combines DevOps and security. An effective cross- pollination of these will result in the kind of approach you’ll hear about in this book. The people who are finding smart ways to build security into DevOps are helping to ensure rapid business agility with the right approach to security. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. Regards, Dan Hubbard Chief Product Officer
  4. 4. 4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
  5. 5. 5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 11 Mauro Loda, Senior Security Architect McKesson.......................................................... 14 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 10 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 06 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 13 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 08 Ross Young, Director Capital One........................................................ 15
  6. 6. 6 “DEVELOPERS NEED TO UNDER- STAND SECURITY FROM THEIR OWN POINT OF VIEW, SO THEY CAN INTEGRATE SECURITY INTO THE COMPLETE SOFTWARE- DEVELOPMENT LIFE CYCLE.” Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle. They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design, when they are building code and doing verification testing, and when they are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
  7. 7. 7 Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical. But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability. n
  8. 8. 8 “YOU CAN FILTER DATA FROM YOUR SECURITY STACK AND BUILD IT OUT INTO A HEAT MAP THAT HELPS TRANSLATE WHERE YOU ARE INTO BUSINESS LANGUAGE.” There can be a lot of business and operational reasons for getting code out as fast as possible, and developers are subject to those pressures. But by nature, engineers want to do the right thing. The best way to build secure code is to give developers the tools and incentives to do the job, and make security fun. You need to build security in from an application-security perspective, run code scans from an application- security perspective on a regular basis, and have your teams compete. Gamification is a great way to make security part of the job and to make it one of the things that drive the whole process rather than being an afterthought. Getting security right first costs much less than fixing it after the fact. Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
  9. 9. 9 As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t work, and it’s more fun to work collaboratively. Another important part of building security into your cloud operations is maintaining an overarching enterprise security scorecard. You can actually filter data from your security stack and build it out into a heat map that helps translate where you are into business language. The goal is to show the organization where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then you can begin having a business conversation about how you address these risks, which are all based on highly technical factors. n
  10. 10. 10 “WHEN IT COMES TO DEPLOYING APPLICATIONS IN THE CLOUD, AS YOU MOVE TOWARDS CONVENIENCE, YOU LOSE SECURITY.” When it comes to deploying applications in the cloud, as you move towards convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. For example, a continuous integration, continuous delivery (CI/CD) model leverages known good components as you update your applications. Being more secure in the cloud involves using these kinds of processes to become more disciplined about change management. There are a number of code assessment tools available that can be an integral part of the development process. These tools scan code for vulnerabilities during development and provide vulnerability notifications so that those things can be addressed before code goes to production. The entire DevOps process is become a code-based paradigm. It’s also a good practice to have pen testers periodically look at your applications and code from a hacker’s perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among the developers. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
  11. 11. 11 “COMPLEMENTPLATFORMFEATURES ANDCAPABILITIESWITHTOOLS THATYOUCANINTEGRATEINTO THEENVIRONMENT.” Here are several things you can do to embed security practices into your cloud operations: n Take the time to architect out your solutions and ask tough questions about how to make them conform to your security framework and what risks you must address. It’s not easy to sit down with everybody in the room, but it is a necessary step. n Build a DevOps process that uses tools to scan code as you develop it. This should be an automated process that has to happen before code can be promoted. n Use the cloud provider’s platform to your advantage. Cloud platforms have a lot of security features and process-control functions that can make your cloud infrastructure more secure, if you use them. For instance, Amazon is constantly patching and updating operating system images. Their tools can tell you if operating system patches are relevant to the container configurations you are currently using. This streamlines your own configuration management and redeployment of fresh images. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
  12. 12. 12 n Complement platform features and capabilities with tools that you can integrate into the environment. You might want to install your own monitoring or behavior-analytics tool, and integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are focusing on what is most critical to the business. n
  13. 13. 13 “MAKING SECURITY AN INTEGRAL PARTOFYOURCLOUDOPERATIONS REQUIRES TIGHTLY MANAGED PROCESSES.” Making security an integral part of your cloud operations requires tightly managed processes. This begins with working closely with your security teams as you design your cloud infrastructure, build out your networks, and allocate available resources. This must all be done in compliance with security standards laid out by your security team. It requires managing the development process so that developers follow rules and practices that enforce security. This includes the tools you use, and an agile development process that might involve daily meetings in which developers can discuss how to build something in accordance with security guidelines. It can involve ticketing systems and collaboration tools that facilitate developers getting answers to business-risk questions that relate to the things they are being asked to build. And it requires maintaining discipline about the development process itself, such as using isolated network environments with strict naming conventions to separate development, staging, and production environments for your applications. The process for architecting and building cloud infrastructure needs to be well controlled from end to end. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
  14. 14. 14 “WITHSOMUCHINTHEBUSINESS SUBJECTTOSECURITYRISK,EVERY PERSONHASASPECIFICROLETO PLAY.” With so many business operations happening in complex IT infrastructures, security is no longer the responsibility of only the security team or the compliance team. It must be baked in at the executive level and become a part of the business process. Most enterprise operations are driven by people, processes, and technology, and people are often stretched thin. With so much in the business subject to security risk, every person has a specific role to play. Everything needs to be risk driven. This means treating security and compliance risk as part of business risk. It also means talking about security in terms of business cases, which becomes the common language across the enterprise from the C-suite to business operations. Security frameworks and tools play an important role not only in securely managing IT infrastructures, but also in measuring and scoring risk in ways that make sense for business cases. In this way cybersecurity can become a key consideration in important business decisions. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
  15. 15. 15 “BUILDING A SECURE, SCALABLE DEVELOPMENT PROCESS DEPENDS ON AUTOMATION TOOLS, BECAUSE ONE SECURITY ENGINEER CANNOT MANUALLY ASSESS ALL THE APPLICATIONS AND SERVICE INSTANCES…” The ultimate goal needs to be to build security into the development process and into the code itself. One way to move in this direction is to change the structure of development teams so that their work has more immediate feedback from customers and business leaders. For example, a typical large project might have 10 developers, a project manager, and a scrum master assigned to it. However, a different approach would be to build a team that consists of three or four developers doing the team coding, working in pairs to check for errors. There would be a systems engineer looking at customer requirements and breaking those down to actionable increments on a scrum board. There would also be a person responsible for the human-centric design, building wireframes before the coding Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
  16. 16. 16 begins, and using those to get customer validation early in the development process. And of course the team would have its own security engineer overseeing security of the code, and a project manager over the group. This kind of a team, supported with the right tooling, would be a highly agile group designed to receive almost instantaneous feedback at every stage in the development cycle. Part of this process needs to include building in risk sign-off at the business leader or executive level. This would involve evaluating the product for vulnerabilities and risk, taking the finished product along with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final decision about operational risk a business decision, not a security-team decision. Building a secure, scalable development process depends on automation tools, because one security engineer cannot manually assess all the applications and service instances a team like this could build. And in a cloud environment, you could easily have many teams like this continuously creating new code. Eventually the goal will be to build security control into the code itself. Security management becomes a function built into the instantaneous-feedback loop developers use to advance their code incrementally. When security policy is built as code, then developers can just test against it. n
  17. 17. 17 KEY POINTS Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical factors.
  18. 18. 18 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Interested in more? Try Lacework for free and validate the security  of your cloud: TRY FOR FREE Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.