SlideShare a Scribd company logo

Building Security Into Your Cloud IT Practices

Mighty Guides, Inc., profile picture
Mighty Guides, Inc.

The document discusses strategies for integrating security into DevOps practices within cloud environments, emphasizing the necessity of a cultural shift towards security awareness among developers. It highlights that security must be an inherent part of the development lifecycle to prevent vulnerabilities and support rapid business agility. The authors advocate for using automation tools, collaborative processes, and continuous security assessments to embed security into every aspect of cloud operations.

Software
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
BUILDINGSECURITY INTOYOURCLOUDIT PRACTICES Expert advice on aligning security with DevOps. Sponsored by
2 INTRODUCTION In the real world of cloud infrastructure, much that happens is driven by business needs. Businesses face competitive pressures that require them to continually optimize customer experience, move quickly into new markets or release new products, and integrate their operations with those of partners, customers, or acquired businesses. This puts a lot of pressure on IT managers and developers. Coders are often incentivized to build fast, but not necessarily to build securely. At the same time, the risks of running vulnerable infrastructure are rising. How do IT professionals address the need to build it safer? To find out, we asked our security experts the following question: How can you make security an embedded discipline within your team? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
3 FOREWORD Build Security Into Your DevOps Practices Use cases across the different types of companies that operate workloads in the cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility, and scale are cited as reasons why organizations decide to use the public cloud. However, the ability to move at the speed of today’s technology innovation comes out on top more often than not, time after time. Many organizations can get so focused on pushing product that security takes a backseat. The result is inadvertent vulnerabilities in the underlying infrastructure that get missed. When that happens, and it happens a lot, companies, products, and users are exposed. Speed tends to be the focus for DevOps, but to truly implement and manage DevOps effectively within an organization, it has to have a more comprehensive approach from day one. A framework needs to be created that certainly emphasizes speed and pushing product fast, but it has to also include a cultural and technical approach that combines DevOps and security. An effective cross- pollination of these will result in the kind of approach you’ll hear about in this book. The people who are finding smart ways to build security into DevOps are helping to ensure rapid business agility with the right approach to security. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 11 Mauro Loda, Senior Security Architect McKesson.......................................................... 14 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 10 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 06 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 13 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 08 Ross Young, Director Capital One........................................................ 15
6 “DEVELOPERS NEED TO UNDER- STAND SECURITY FROM THEIR OWN POINT OF VIEW, SO THEY CAN INTEGRATE SECURITY INTO THE COMPLETE SOFTWARE- DEVELOPMENT LIFE CYCLE.” Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle. They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design, when they are building code and doing verification testing, and when they are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
7 Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical. But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability. n
8 “YOU CAN FILTER DATA FROM YOUR SECURITY STACK AND BUILD IT OUT INTO A HEAT MAP THAT HELPS TRANSLATE WHERE YOU ARE INTO BUSINESS LANGUAGE.” There can be a lot of business and operational reasons for getting code out as fast as possible, and developers are subject to those pressures. But by nature, engineers want to do the right thing. The best way to build secure code is to give developers the tools and incentives to do the job, and make security fun. You need to build security in from an application-security perspective, run code scans from an application- security perspective on a regular basis, and have your teams compete. Gamification is a great way to make security part of the job and to make it one of the things that drive the whole process rather than being an afterthought. Getting security right first costs much less than fixing it after the fact. Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
9 As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t work, and it’s more fun to work collaboratively. Another important part of building security into your cloud operations is maintaining an overarching enterprise security scorecard. You can actually filter data from your security stack and build it out into a heat map that helps translate where you are into business language. The goal is to show the organization where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then you can begin having a business conversation about how you address these risks, which are all based on highly technical factors. n
10 “WHEN IT COMES TO DEPLOYING APPLICATIONS IN THE CLOUD, AS YOU MOVE TOWARDS CONVENIENCE, YOU LOSE SECURITY.” When it comes to deploying applications in the cloud, as you move towards convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. For example, a continuous integration, continuous delivery (CI/CD) model leverages known good components as you update your applications. Being more secure in the cloud involves using these kinds of processes to become more disciplined about change management. There are a number of code assessment tools available that can be an integral part of the development process. These tools scan code for vulnerabilities during development and provide vulnerability notifications so that those things can be addressed before code goes to production. The entire DevOps process is become a code-based paradigm. It’s also a good practice to have pen testers periodically look at your applications and code from a hacker’s perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among the developers. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
11 “COMPLEMENTPLATFORMFEATURES ANDCAPABILITIESWITHTOOLS THATYOUCANINTEGRATEINTO THEENVIRONMENT.” Here are several things you can do to embed security practices into your cloud operations: n Take the time to architect out your solutions and ask tough questions about how to make them conform to your security framework and what risks you must address. It’s not easy to sit down with everybody in the room, but it is a necessary step. n Build a DevOps process that uses tools to scan code as you develop it. This should be an automated process that has to happen before code can be promoted. n Use the cloud provider’s platform to your advantage. Cloud platforms have a lot of security features and process-control functions that can make your cloud infrastructure more secure, if you use them. For instance, Amazon is constantly patching and updating operating system images. Their tools can tell you if operating system patches are relevant to the container configurations you are currently using. This streamlines your own configuration management and redeployment of fresh images. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
12 n Complement platform features and capabilities with tools that you can integrate into the environment. You might want to install your own monitoring or behavior-analytics tool, and integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are focusing on what is most critical to the business. n
13 “MAKING SECURITY AN INTEGRAL PARTOFYOURCLOUDOPERATIONS REQUIRES TIGHTLY MANAGED PROCESSES.” Making security an integral part of your cloud operations requires tightly managed processes. This begins with working closely with your security teams as you design your cloud infrastructure, build out your networks, and allocate available resources. This must all be done in compliance with security standards laid out by your security team. It requires managing the development process so that developers follow rules and practices that enforce security. This includes the tools you use, and an agile development process that might involve daily meetings in which developers can discuss how to build something in accordance with security guidelines. It can involve ticketing systems and collaboration tools that facilitate developers getting answers to business-risk questions that relate to the things they are being asked to build. And it requires maintaining discipline about the development process itself, such as using isolated network environments with strict naming conventions to separate development, staging, and production environments for your applications. The process for architecting and building cloud infrastructure needs to be well controlled from end to end. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
14 “WITHSOMUCHINTHEBUSINESS SUBJECTTOSECURITYRISK,EVERY PERSONHASASPECIFICROLETO PLAY.” With so many business operations happening in complex IT infrastructures, security is no longer the responsibility of only the security team or the compliance team. It must be baked in at the executive level and become a part of the business process. Most enterprise operations are driven by people, processes, and technology, and people are often stretched thin. With so much in the business subject to security risk, every person has a specific role to play. Everything needs to be risk driven. This means treating security and compliance risk as part of business risk. It also means talking about security in terms of business cases, which becomes the common language across the enterprise from the C-suite to business operations. Security frameworks and tools play an important role not only in securely managing IT infrastructures, but also in measuring and scoring risk in ways that make sense for business cases. In this way cybersecurity can become a key consideration in important business decisions. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
15 “BUILDING A SECURE, SCALABLE DEVELOPMENT PROCESS DEPENDS ON AUTOMATION TOOLS, BECAUSE ONE SECURITY ENGINEER CANNOT MANUALLY ASSESS ALL THE APPLICATIONS AND SERVICE INSTANCES…” The ultimate goal needs to be to build security into the development process and into the code itself. One way to move in this direction is to change the structure of development teams so that their work has more immediate feedback from customers and business leaders. For example, a typical large project might have 10 developers, a project manager, and a scrum master assigned to it. However, a different approach would be to build a team that consists of three or four developers doing the team coding, working in pairs to check for errors. There would be a systems engineer looking at customer requirements and breaking those down to actionable increments on a scrum board. There would also be a person responsible for the human-centric design, building wireframes before the coding Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
16 begins, and using those to get customer validation early in the development process. And of course the team would have its own security engineer overseeing security of the code, and a project manager over the group. This kind of a team, supported with the right tooling, would be a highly agile group designed to receive almost instantaneous feedback at every stage in the development cycle. Part of this process needs to include building in risk sign-off at the business leader or executive level. This would involve evaluating the product for vulnerabilities and risk, taking the finished product along with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final decision about operational risk a business decision, not a security-team decision. Building a secure, scalable development process depends on automation tools, because one security engineer cannot manually assess all the applications and service instances a team like this could build. And in a cloud environment, you could easily have many teams like this continuously creating new code. Eventually the goal will be to build security control into the code itself. Security management becomes a function built into the instantaneous-feedback loop developers use to advance their code incrementally. When security policy is built as code, then developers can just test against it. n
17 KEY POINTS Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical factors.
18 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Interested in more? Try Lacework for free and validate the security  of your cloud: TRY FOR FREE Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.

More Related Content

PDF
Resetting Your Security Thinking for the Public Cloud
Mighty Guides, Inc.
 
PPTX
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
PDF
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 
PDF
Csathreats.v1.0
vivek_kale27
 
PDF
BriefingsDirect Transcript--How security leverages virtualization to counter ...
Dana Gardner
 
PDF
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
YounesChafi1
 
PDF
Stay Ahead of Risk
Procore Technologies
 
PDF
EveryCloud_Company_Intro_Piece
Paul Richards
 
Resetting Your Security Thinking for the Public Cloud
Mighty Guides, Inc.
 
Comprehensive Cloud Security Requires an Automated Approach
CloudPassage
 
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 
Csathreats.v1.0
vivek_kale27
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
Dana Gardner
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
YounesChafi1
 
Stay Ahead of Risk
Procore Technologies
 
EveryCloud_Company_Intro_Piece
Paul Richards
 

What's hot (15)

PDF
2022 Q1 Webinar Securite du Cloud public (1).pdf
YounesChafi1
 
PDF
Microsoft threat protection + wdatp+ aatp overview
Allessandra Negri
 
PDF
Twistlock: 7 Experts on Cloud-Native Security
Mighty Guides, Inc.
 
PDF
The Cloud Crossover
Armor
 
PDF
REDUCING CYBER EXPOSURE From Cloud to Containers
artseremis
 
PDF
netskope-casb-for-microsoft-365.pdf
test888649
 
PPTX
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
PDF
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Mighty Guides, Inc.
 
PDF
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Project
 
PPTX
ProtectV - Data Security for the Cloud
SafeNet
 
PDF
Cloud summit demystifying cloud security
David De Vos
 
PPTX
Lss implementing cyber security in the cloud, and from the cloud-feb14
L S Subramanian
 
PPTX
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Alex Danvy
 
PPTX
Cloud security (domain11 14)
Maganathin Veeraragaloo
 
PPTX
Rik Ferguson
CloudExpoEurope
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
YounesChafi1
 
Microsoft threat protection + wdatp+ aatp overview
Allessandra Negri
 
Twistlock: 7 Experts on Cloud-Native Security
Mighty Guides, Inc.
 
The Cloud Crossover
Armor
 
REDUCING CYBER EXPOSURE From Cloud to Containers
artseremis
 
netskope-casb-for-microsoft-365.pdf
test888649
 
Cloud Security for U.S. Military Agencies
NJVC, LLC
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Mighty Guides, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Project
 
ProtectV - Data Security for the Cloud
SafeNet
 
Cloud summit demystifying cloud security
David De Vos
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
L S Subramanian
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Alex Danvy
 
Cloud security (domain11 14)
Maganathin Veeraragaloo
 
Rik Ferguson
CloudExpoEurope
 
Ad

Similar to Building Security Into Your Cloud IT Practices (20)

PDF
Avoiding Limitations of Traditional Approaches to Security
Mighty Guides, Inc.
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
PDF
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
PPTX
Unc charlotte prezo2016
Sanjay R. Gupta
 
PDF
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
The Journey to DevSecOps
Shannon Lietz
 
PDF
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Bill Burns
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
DevSecOps Guide to Leveraging a Culture of Security.pdf
Anshulkichara3
 
DOCX
10 things to get right for successful dev secops
Mohammed Ahmed
 
PDF
DevSecOps-Guide-to-Leveraging-a-Culture-of-Security-Ebook.pdf
Anshulkichara3
 
PDF
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
PDF
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
PPTX
Cloud application security (CCSP Domain 4)
Amy Nicewick, CISSP, CCSP, CEH
 
PPTX
ISACA Ireland Keynote 2015
Shannon Lietz
 
PDF
Cloud native patterns antipatterns
Martin Stemplinger
 
PPTX
S360 2015 dev_secops_program
Shannon Lietz
 
PPTX
DevSecCon KeyNote London 2015
Shannon Lietz
 
PPTX
DevSecCon Keynote
Shannon Lietz
 
Avoiding Limitations of Traditional Approaches to Security
Mighty Guides, Inc.
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
Unc charlotte prezo2016
Sanjay R. Gupta
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
The Journey to DevSecOps
SeniorStoryteller
 
The Journey to DevSecOps
Shannon Lietz
 
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Bill Burns
 
Introduction to DevSecOps
Setu Parimi
 
DevSecOps Guide to Leveraging a Culture of Security.pdf
Anshulkichara3
 
10 things to get right for successful dev secops
Mohammed Ahmed
 
DevSecOps-Guide-to-Leveraging-a-Culture-of-Security-Ebook.pdf
Anshulkichara3
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 
Cloud application security (CCSP Domain 4)
Amy Nicewick, CISSP, CCSP, CEH
 
ISACA Ireland Keynote 2015
Shannon Lietz
 
Cloud native patterns antipatterns
Martin Stemplinger
 
S360 2015 dev_secops_program
Shannon Lietz
 
DevSecCon KeyNote London 2015
Shannon Lietz
 
DevSecCon Keynote
Shannon Lietz
 
Ad

More from Mighty Guides, Inc. (20)

PDF
7 Experts on Implementing Microsoft 365 Defender
Mighty Guides, Inc.
 
PDF
7 Experts on Implementing Azure Sentinel
Mighty Guides, Inc.
 
PDF
7 Experts on Implementing Microsoft Defender for Endpoint
Mighty Guides, Inc.
 
PDF
8 Experts on Flawless App Delivery
Mighty Guides, Inc.
 
PDF
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
Mighty Guides, Inc.
 
PDF
Sharktower: Will AI change the way you manage change?
Mighty Guides, Inc.
 
PDF
Workfront: 7 Experts on Flawless Campaign Execution
Mighty Guides, Inc.
 
PDF
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
PDF
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Mighty Guides, Inc.
 
PDF
Citrix: 7 Experts on Transforming Employee Experience
Mighty Guides, Inc.
 
PDF
7 Experts on Transforming Customer Experience with Data Insights (1)
Mighty Guides, Inc.
 
PDF
15 Experts on Reimagining Field Marketing
Mighty Guides, Inc.
 
PDF
Kyriba: 7 Experts on Activating Liquidity
Mighty Guides, Inc.
 
PDF
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
Mighty Guides, Inc.
 
PDF
11 Experts on Using the Content Lifecycle to Maximize Content ROI
Mighty Guides, Inc.
 
PDF
Defining Marketing Success- 28 Experts Tell You How
Mighty Guides, Inc.
 
PDF
7 Experts on Using the Content Lifecycle to Maximize Content ROI
Mighty Guides, Inc.
 
PDF
Iron Mountain: 8 Experts on Workplace Transformation
Mighty Guides, Inc.
 
PDF
Avoiding Container Vulnerabilities
Mighty Guides, Inc.
 
PDF
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Mighty Guides, Inc.
 
7 Experts on Implementing Microsoft 365 Defender
Mighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
Mighty Guides, Inc.
 
7 Experts on Implementing Microsoft Defender for Endpoint
Mighty Guides, Inc.
 
8 Experts on Flawless App Delivery
Mighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
Mighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
Mighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
Mighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Mighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Mighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
Mighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
Mighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
Mighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
Mighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
Mighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
Mighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
Mighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
Mighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
Mighty Guides, Inc.
 
Avoiding Container Vulnerabilities
Mighty Guides, Inc.
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Mighty Guides, Inc.
 

Recently uploaded (20)

PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
PDF
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PPTX
AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flow
bbedford2
 
PPTX
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
PDF
New Download MiniTool Partition Wizard Crack Latest Version 2025
imang66g
 
PPTX
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
49785682629390197565_LRN3014_Migrating_the_Beast.pdf
Abilash868456
 
PDF
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
PPTX
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
PPTX
Role Of Python In Programing Language.pptx
jaykoshti048
 
PPTX
Explanation about Structures in C language.pptx
Veeral Rathod
 
PDF
Bandai Playdia The Book - David Glotz
BluePanther6
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
PPTX
oapresentation.pptx
mehatdhavalrajubhai
 
DOCX
Can You Build Dashboards Using Open Source Visualization Tool.docx
Varsha Nayak
 
PDF
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PDF
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
PDF
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
AI-Ready Handoff: Auto-Summaries & Draft Emails from MQL to Slack in One Flow
bbedford2
 
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
New Download MiniTool Partition Wizard Crack Latest Version 2025
imang66g
 
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
49785682629390197565_LRN3014_Migrating_the_Beast.pdf
Abilash868456
 
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
Role Of Python In Programing Language.pptx
jaykoshti048
 
Explanation about Structures in C language.pptx
Veeral Rathod
 
Bandai Playdia The Book - David Glotz
BluePanther6
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
oapresentation.pptx
mehatdhavalrajubhai
 
Can You Build Dashboards Using Open Source Visualization Tool.docx
Varsha Nayak
 
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 

Building Security Into Your Cloud IT Practices

  • 1. BUILDINGSECURITY INTOYOURCLOUDIT PRACTICES Expert advice on aligning security with DevOps. Sponsored by
  • 2. 2 INTRODUCTION In the real world of cloud infrastructure, much that happens is driven by business needs. Businesses face competitive pressures that require them to continually optimize customer experience, move quickly into new markets or release new products, and integrate their operations with those of partners, customers, or acquired businesses. This puts a lot of pressure on IT managers and developers. Coders are often incentivized to build fast, but not necessarily to build securely. At the same time, the risks of running vulnerable infrastructure are rising. How do IT professionals address the need to build it safer? To find out, we asked our security experts the following question: How can you make security an embedded discipline within your team? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
  • 3. 3 FOREWORD Build Security Into Your DevOps Practices Use cases across the different types of companies that operate workloads in the cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility, and scale are cited as reasons why organizations decide to use the public cloud. However, the ability to move at the speed of today’s technology innovation comes out on top more often than not, time after time. Many organizations can get so focused on pushing product that security takes a backseat. The result is inadvertent vulnerabilities in the underlying infrastructure that get missed. When that happens, and it happens a lot, companies, products, and users are exposed. Speed tends to be the focus for DevOps, but to truly implement and manage DevOps effectively within an organization, it has to have a more comprehensive approach from day one. A framework needs to be created that certainly emphasizes speed and pushing product fast, but it has to also include a cultural and technical approach that combines DevOps and security. An effective cross- pollination of these will result in the kind of approach you’ll hear about in this book. The people who are finding smart ways to build security into DevOps are helping to ensure rapid business agility with the right approach to security. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
  • 4. 4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
  • 5. 5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 11 Mauro Loda, Senior Security Architect McKesson.......................................................... 14 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 10 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 06 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 13 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 08 Ross Young, Director Capital One........................................................ 15
  • 6. 6 “DEVELOPERS NEED TO UNDER- STAND SECURITY FROM THEIR OWN POINT OF VIEW, SO THEY CAN INTEGRATE SECURITY INTO THE COMPLETE SOFTWARE- DEVELOPMENT LIFE CYCLE.” Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle. They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design, when they are building code and doing verification testing, and when they are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
  • 7. 7 Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical. But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability. n
  • 8. 8 “YOU CAN FILTER DATA FROM YOUR SECURITY STACK AND BUILD IT OUT INTO A HEAT MAP THAT HELPS TRANSLATE WHERE YOU ARE INTO BUSINESS LANGUAGE.” There can be a lot of business and operational reasons for getting code out as fast as possible, and developers are subject to those pressures. But by nature, engineers want to do the right thing. The best way to build secure code is to give developers the tools and incentives to do the job, and make security fun. You need to build security in from an application-security perspective, run code scans from an application- security perspective on a regular basis, and have your teams compete. Gamification is a great way to make security part of the job and to make it one of the things that drive the whole process rather than being an afterthought. Getting security right first costs much less than fixing it after the fact. Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
  • 9. 9 As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t work, and it’s more fun to work collaboratively. Another important part of building security into your cloud operations is maintaining an overarching enterprise security scorecard. You can actually filter data from your security stack and build it out into a heat map that helps translate where you are into business language. The goal is to show the organization where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then you can begin having a business conversation about how you address these risks, which are all based on highly technical factors. n
  • 10. 10 “WHEN IT COMES TO DEPLOYING APPLICATIONS IN THE CLOUD, AS YOU MOVE TOWARDS CONVENIENCE, YOU LOSE SECURITY.” When it comes to deploying applications in the cloud, as you move towards convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. For example, a continuous integration, continuous delivery (CI/CD) model leverages known good components as you update your applications. Being more secure in the cloud involves using these kinds of processes to become more disciplined about change management. There are a number of code assessment tools available that can be an integral part of the development process. These tools scan code for vulnerabilities during development and provide vulnerability notifications so that those things can be addressed before code goes to production. The entire DevOps process is become a code-based paradigm. It’s also a good practice to have pen testers periodically look at your applications and code from a hacker’s perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among the developers. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
  • 11. 11 “COMPLEMENTPLATFORMFEATURES ANDCAPABILITIESWITHTOOLS THATYOUCANINTEGRATEINTO THEENVIRONMENT.” Here are several things you can do to embed security practices into your cloud operations: n Take the time to architect out your solutions and ask tough questions about how to make them conform to your security framework and what risks you must address. It’s not easy to sit down with everybody in the room, but it is a necessary step. n Build a DevOps process that uses tools to scan code as you develop it. This should be an automated process that has to happen before code can be promoted. n Use the cloud provider’s platform to your advantage. Cloud platforms have a lot of security features and process-control functions that can make your cloud infrastructure more secure, if you use them. For instance, Amazon is constantly patching and updating operating system images. Their tools can tell you if operating system patches are relevant to the container configurations you are currently using. This streamlines your own configuration management and redeployment of fresh images. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
  • 12. 12 n Complement platform features and capabilities with tools that you can integrate into the environment. You might want to install your own monitoring or behavior-analytics tool, and integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are focusing on what is most critical to the business. n
  • 13. 13 “MAKING SECURITY AN INTEGRAL PARTOFYOURCLOUDOPERATIONS REQUIRES TIGHTLY MANAGED PROCESSES.” Making security an integral part of your cloud operations requires tightly managed processes. This begins with working closely with your security teams as you design your cloud infrastructure, build out your networks, and allocate available resources. This must all be done in compliance with security standards laid out by your security team. It requires managing the development process so that developers follow rules and practices that enforce security. This includes the tools you use, and an agile development process that might involve daily meetings in which developers can discuss how to build something in accordance with security guidelines. It can involve ticketing systems and collaboration tools that facilitate developers getting answers to business-risk questions that relate to the things they are being asked to build. And it requires maintaining discipline about the development process itself, such as using isolated network environments with strict naming conventions to separate development, staging, and production environments for your applications. The process for architecting and building cloud infrastructure needs to be well controlled from end to end. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
  • 14. 14 “WITHSOMUCHINTHEBUSINESS SUBJECTTOSECURITYRISK,EVERY PERSONHASASPECIFICROLETO PLAY.” With so many business operations happening in complex IT infrastructures, security is no longer the responsibility of only the security team or the compliance team. It must be baked in at the executive level and become a part of the business process. Most enterprise operations are driven by people, processes, and technology, and people are often stretched thin. With so much in the business subject to security risk, every person has a specific role to play. Everything needs to be risk driven. This means treating security and compliance risk as part of business risk. It also means talking about security in terms of business cases, which becomes the common language across the enterprise from the C-suite to business operations. Security frameworks and tools play an important role not only in securely managing IT infrastructures, but also in measuring and scoring risk in ways that make sense for business cases. In this way cybersecurity can become a key consideration in important business decisions. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
  • 15. 15 “BUILDING A SECURE, SCALABLE DEVELOPMENT PROCESS DEPENDS ON AUTOMATION TOOLS, BECAUSE ONE SECURITY ENGINEER CANNOT MANUALLY ASSESS ALL THE APPLICATIONS AND SERVICE INSTANCES…” The ultimate goal needs to be to build security into the development process and into the code itself. One way to move in this direction is to change the structure of development teams so that their work has more immediate feedback from customers and business leaders. For example, a typical large project might have 10 developers, a project manager, and a scrum master assigned to it. However, a different approach would be to build a team that consists of three or four developers doing the team coding, working in pairs to check for errors. There would be a systems engineer looking at customer requirements and breaking those down to actionable increments on a scrum board. There would also be a person responsible for the human-centric design, building wireframes before the coding Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
  • 16. 16 begins, and using those to get customer validation early in the development process. And of course the team would have its own security engineer overseeing security of the code, and a project manager over the group. This kind of a team, supported with the right tooling, would be a highly agile group designed to receive almost instantaneous feedback at every stage in the development cycle. Part of this process needs to include building in risk sign-off at the business leader or executive level. This would involve evaluating the product for vulnerabilities and risk, taking the finished product along with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final decision about operational risk a business decision, not a security-team decision. Building a secure, scalable development process depends on automation tools, because one security engineer cannot manually assess all the applications and service instances a team like this could build. And in a cloud environment, you could easily have many teams like this continuously creating new code. Eventually the goal will be to build security control into the code itself. Security management becomes a function built into the instantaneous-feedback loop developers use to advance their code incrementally. When security policy is built as code, then developers can just test against it. n
  • 17. 17 KEY POINTS Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical factors.