Cloud-native and cloud migration projects can stall if multi-cloud security and compliance methods are not carefully reexamined. Agility and security are not mutually exclusive. By linking security and compliance management with asset discovery and ITSM, scrum teams can more easily visualize, triage, and remediate the security posture of the microservices they develop. In this way, cloud security posture management is embedded within the SDLC, resource dependencies are understood, and security incidents and change smoothly managed. Business agility accelerates without compromising security and compliance.
The Problem / Negative Impact
The cloud is no longer a hyped-up future state, but a present-day reality as 91% of enterprises use public cloud. Gartner projects $90 billion will be spent in 2020 on IaaS and PaaS services. While the growth continues unabated – 24% YOY – organizations are vexed about securing their public cloud footprint. To punctuate that point, 93% are worried, so much so that 55% expect to deploy a new cloud security solution within the next year. Clearly, current tools and methods for cloud security are not good enough for the majority of enterprises.
Despite those concerns, our appetite for cloud IaaS and PaaS shows no sign of waning. An organization’s cloud footprint is constantly changing and evergrowing. An army of developers are using CI/CD pipelines to continuously push updates for their microservices that live in the cloud. Those cloudnative apps² are composed of cloud IaaS and PaaS resources, every instance of which must be appropriately configured if they are to be secure, and therein lies the problem. The misconfiguration of cloud resources remains the leading cause of cloud security failures.
The Case for App-Centric Security
Enable Agility, Don’t Hinder It
While the concept of app-centric security itself is straight-forward – simplify security for the developers, so that they can own and manage the security posture of their cloud applications – the implementation is much more intricate. Simplifying security for the developers is a multi-layered challenge, so it is important to understand why we should undertake this mission.
According to SiriusDecisions, a full 78% of organizations use agile methods in R&D. This means the cloud footprint is constantly evolving as developers relentlessly innovate. While innovation is imperative to competitive advantage, so is information security. Yet, security methods all too often remain manual or ad-hoc, which is completely incongruent with the scale and rate of change that the cloud delivers. The inevitable bottlenecks then grind the gears of agility. The enterprise needs fewer vulnerabilities to be promoted from development (hereafter, “DEV”) into production (“PROD”), but they also need to innovate faster. And this means shifting security left into the software development lifecycle (SDLC).
Automated asset discovery and dependency mapping. First, developers need a means to automate asset discovery and application mapping across multiple cloud environments. This will reveal dependencies between the multi-cloud IaaS and PaaS resources which the app/microservice use and allows for the logical grouping of these assets within a “business service.” This information is then available to a cloud security solution which presents the security posture of the logical grouping of those resources. As such, asset discovery and dependency mapping are foundational to the job of app-centric security posture management.
Automated security checks and remediation. Next, a developer needs an automated means of checking the secure configuration of their multi-cloud resources. Developers should have complete autonomy and accountability to manage their multi-cloud security posture for their application. The security solution should ingest the logical “business service” groupings – created during automated asset discovery – which in turn allows the developer to quickly visualize their app’s security posture and prioritize their security backlog. Then, automated remediation further simplifies security for the developer: simply click a button.
In summary, a fundamental imperative of simplifying security for the developers requires:
- automated resource discovery and dependency mapping
- logical grouping of resources into a business service
- automated, policy-based security and compliance checks and remediation
- multi-cloud and REST API
- presenting security posture of a business service in a visually intuitive manner
These requirements simplify the security lift for developers, so that security is more readily embedded within the SDLC and fewer risky configurations are promoted to PROD. The Operations team can then continuously monitor PROD for configuration drift, with the same multicloud configuration solutions used in DEV. The Security team is then free to rise above manual or ad-hoc policing of the rapidly changing cloud footprint and deliver the higher value work which every Security team knows is out there, but rarely has time to execute.
Asset Discovery and Dependency Mapping
As data centers give way to public and private clouds, new flexible, cloud-native applications help drive the business forward. These cloud environments and cloud-native apps must coexist with legacy infrastructure and software. Not surprisingly, organizations which lack visibility into how their cloud-native services are implemented struggle Once the resource dependencies are mapped, the app’s resources are logically grouped into a “business service.” This logical group can then be leveraged by the business stakeholders in creative ways, such as managing resource allocation, optimizing cost, or continuously managing security and compliance of just that specific business service.
Automated, agentless discovery of multi-cloud infrastructure and applications keeps the dependency map updated as quickly as the scrum team can push updates. The ability to map discovered resources into a model of the business service from any point within the app reduces the need for applicationspecific expertise. This visually intuitive abstraction with their digital transformation. Automated asset discovery and dependency mapping provides the trusted foundation that catalyze that digital transformation by enabling LOB stakeholders to monitor, secure, optimize, and service their hybrid cloud infrastructure in the way the business thinks of it – through an application-centric lens.
App-Centric Security Posture Management
Once multi-cloud resources are found, dependencies mapped, and business services logically grouped, a cloud security solution can ingest this information and add security context. Automated checks of the business service’s resource configurations against a library of security and compliance policies present a real-time view of the developer’s security posture.
Closed-Loop Security Incident Management
Automating the “find and fix” makes security easy for the developers, so they can focus on “telling time instead of building a watch.” Since most organizations use multiple clouds, and that cloud footprint is constantly changing, it is important to manage that change smoothly. Native integration to the service desk for incident and change management is key to having a fully documented audit trail.