Organizations have embraced the cloud as a means of expanding their business's value, while adding speed and scale to the process, something that has been accelerated during the COVID-19 pandemic. What is missing in many organizations, however, is understanding the need for both speed and security together.
Cloud is a disruptive technology that shifts the focus of IT operations away from on-premises data centers and traditional software development toward a scaled infrastructure and DevOps environment that supports continuous integration/continuous delivery. DevOps raised the bar on speed of delivery, and DevSecOps introduces ideas of continuously managing risk, security, compliance and legal requirements.
Speed vs. security?
The focus on what defines the value of technical teams has changed steadily over the years, from a focus on infrastructure to one on software development to, now, a concentration on digital product delivery. Hard copies of a compliance report, for example, are now being transferred digitally.
Meanwhile, the cloud lets companies scale their infrastructures and platforms rapidly. It has helped standardize developer tool sets and commoditize infrastructure and development platforms. The challenge that remains, however, is that many people are focused solely on speed. And that's a big problem.
We've seen this play before -- with managed services, for instance, where people plunged ahead without considering the impact on security. But now, with high-profile, damaging and expensive data breaches regularly making headlines, security is a board-level issue that can't be ignored or put on a back burner. IT and operations departments have to provide a level of assurance that cloud adoption will also be secure. This includes having a clear operational plan.
Building a cloud security strategy
For companies moving to the cloud or those in the cloud looking to expand, a few key steps are required to ensure that security is a key part of the process.
Where is your company currently at?
The first step in developing a cloud security strategy is understanding the organization's current state and what its future state in the cloud will look like. This leads to the development of a strategic governance model, which helps define the competencies needed. Examples include tool automation capabilities, an understanding of compliance and risk, and the ability to integrate cloud to ground platforms.
Organizations also need to take inventory of their tools and current skill sets because they will need to implement training programs, change management, migrations and other steps. They need to think about specific system integrations in a hybrid cloud environment. An organization has to methodically think through all of these steps.
A governance framework
Once an organization has mapped out what to do, it needs to define the respective roles of the CIO, chief risk officer, developers, security engineers and others who will be working to enable cloud security. Those roles feed into a security fabric that establishes how all of these teams connect in their day-to-day processes -- for example, how recommendation from a threat modeler becomes a mandate for a systems designer -- with the shared goals of speed, security and regulatory compliance.
Finally, a company has to implement metrics focused on measuring two things: what processes are getting the job done quickly -- speed to market -- and how well the security is working. This involves the convergence of what used to be two largely independent groups: the tech deployment delivery teams and the risk security compliance teams. Companies, currently at least, are thinking about this, and some are already doing it. But most still have yet to put it into practice.
It's a thorough process, and no standards currently exist to help guide or set examples for organizations. But these steps are necessary to secure the data and systems that are the lifeblood of businesses today. A company that can execute this well will make it through the storm.
About the author
Altaz Valani is research director at Security Compass, responsible for managing the overall research vision and team. Prior to joining Security Compass, Valani was a senior research director at Info-Tech Research Group, providing CIOs, IT managers, directors and senior managers with trusted advice and analysis around application development, including Agile, cloud, mobile and the overall software development lifecycle. Other past roles include senior manager at KPMG and various positions where he worked side by side with senior-level stakeholders to drive business value through software development.