Our Cloud security expert offers practical guidance to securing remote DevOps in the cloud and how to implement essential multi-cloud security controls for DevOps, to ensure a centralized cloud security strategy that balances protection with agility.
10. Dev
1. Shift security to the left of application
security program
2. Integrate with CI/CD tools
3. Keep agility with automation
10
Ops
1. Focus on cost and availability
2. Automate with Ops tools
3. Show best practices applied
DevOps Security Use Cases
11. 11Application Security into the SDLC
Development Pre-production Production
Code and commit
Continuous
integration
& automated
testing
Complete
build & test
Gate 1 Gate 2
Non-
functional
testing
UAT Ongoing
assessments
Backlog
management
IT
Automation
Continuous
Penetration
TestingCloud
Assessment
DAST
SCA
SAST
Education
12. Security Ops in the Cloud
12
Source: SANS How to Optimize Security
Operations in the Cloud Through the
Lens of the NIST Framework - Feb 2019
16. Pros
1. Integrated
2. One bill
3. Designed for cloud
16
Cons
1. Don’t support hybrid and multi-cloud
2. Multiple tools
3. Don’t do application security (DAST)
4. Confusing pricing and hard to budget
Cloud Providers Tools Pros and Cons
18. Business Value
1. Focus on Business Risk
2. Achieve cost efficiency with hybrid setups
3. Keep flexibility and agility with multi-cloud and
different architectures
4. Support seamless Dev (Code + Infrastructure) +
Ops
19. DevOps Security
Application security stories
• Application Discovery
• Application Assessment
• Findings Prioritization
But with DevOps Requirements
• Shift left on the SDLC
• Integrate with CI/CD
• Automate Ops
19
Full stack
cyber security
assessment
01 Identify
• Discover
• Enrich
• Manage
02 Assess
• Schedule
• Scan
• Context
03 Prioritize
• Calculate
• Score
• Inform
20. Cloud DevOps
Security Maturity
20
Choose approach for DevOps in the
cloud
Extend and automate existing
security to cloud
Add cloud configuration best
practices
Focus on Business Risk in Dev + Ops
1. Architect
2. Extend
3. Comply
4. Full
Stack
Thank you for feedback. 3 goals:
Talk to DevOps (means talk applications)
Connect to appsec + cloudsec
Last week in the Verizon DBIR, we can see web application attacks have doubled and unsecured cloud storage has become a real problem
Rehosting (lift and shif)
replatforming;, for example moving to PaaS, such as RDS or putting your Jaca code on beanstalk
Repurshasing moving to SaaS
Refactoring, going for microservices or serverless for instance
Focus on CaaS, PaaS and FaaS
Not focusing on security teams, DevOps are driving cloud adoption
both sides have to equally consider security to cover “full stack.” The attacker doesn’t care where he enters, he just wants in (like a honey badger)
So to achieve full stack DevOps have different use cases
If you are familiar with the NIST CSF framework, here is a nice prioritization from SANS for building blocks of your security when migrating to the cloud
Foundation
Ops security
Dev application security
How to implement this, you have the choice
Then WAF is a good example of mitigation approach to give time to devs
Not a product from Microsoft,
Foundation, build process right and deploy, better with IaC
Then more Ops oriented with scan (DAST) and monitoring
Security or pipeline tools?
Risk-based full stack > one independent vendor for security testing means more context that you don’t have guess at (or ignore) saving time and improving security posture (better, faster)
Foundations right (Dev + IaC) + Ops
recall goals:
Talk DevOps means talk applications
Connect to appsec + cloudsec
Starting on prem and vuln management for Ops
Extend to DAST and helping our customer moving to the cloud
Support seamless Dev (Code + Infrastructure) + Ops, integration with CI/CD, shift left and container inspection-> Full stack