Want to scale security? Open up and embrace the code
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
David Stone
Solutions Consultant, Office of the CISO, Google Cloud
In this edition of our Security Leaders Survival Guide, we explain why scaling security with code can be a valuable game-changer for organizations.
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
Subscribe“How to scale compliance, risk, and security across myriad complex systems and environments,” might sound like the title of a self-help pamphlet for financial institutions, but it’s also an accurate description of why they’re often hesitant to take the leap to the cloud.
Security controls need to keep pace as the business accelerates, and part of doing that is to scale security in a way that alleviates the toil of manual processes.
“As financial services institutions are using cloud to speed innovation, refine customer experience, and reduce costs, cloud initiatives are often slowed by governance, regulatory compliance, and security expertise challenges. These challenges can only be overcome with compliance that is automated and agile and controls that are tailored to specific cloud environments and regulatory standards,” said Don Duet, co-founder and CEO, Concourse Labs.
When we meet with customers, we see that many have established a manual risk assessment program or gating at the end of a production cycle to assess a project’s security and risk posture.
This can be problematic because it’s almost always a holdover from pre-cloud days. Many manual processes don’t scale and therefore struggle to take advantage of all the benefits of digital transformation. How should business leaders move forward to address problems around scaling security in the cloud? Follow the lead of your developers: Make as much into code as you can.
Do as developers do: X as code
The “as code” approach enables machines and processes to work consistently and continuously. It was developed to help indicate when software code could be used to replace manual toil, originally for infrastructure as code and policy as code, but since has been broadened to encompass security as code and detection as code.
Implementing security as code brings tangible benefits to organizations up and down the chain of command, including:
- Improved security: Security as code can help you to find and fix security vulnerabilities early in development, before they can be exploited by attackers. This can help you to improve the overall security hygiene of your applications.
- Reduced risk: Security as code can help to reduce the risk of security breaches by automating the security process. This can help you to identify, prioritize, and fix vulnerabilities more quickly, and to ensure that the most critical vulnerabilities are not overlooked.
- Increased consistency: Security as code can help to increase the efficiency of your security process by automating “toilsome” tasks that would otherwise be done manually. Manual activities create inconsistencies and inefficiencies that are squeezed out by the “as code” approach.
- Better collaboration: Security as code can help to improve collaboration between security, platform, and development teams by making it easier to work together to secure applications that are built rapidly and run securely.
Right now is the right moment because organizations now have the ability to implement compliance, risk, and security as code in the pipeline, coupled with the ability to express, monitor, and measure relevant metadata.
Teamwork makes the cloud work
Increasingly, financial services organizations are realizing that business success is tied to speed of software delivery. That velocity is often hard to achieve because most IT organizations are siloed across developers, operations, and platform teams with different processes, tools, and cultures. Too many teams work independently of each other, tied up in dealing with day-to-day security requirements and issues. They’re not tightly integrated, nor do they engage in regular communications.
This is not the optimal way to move ahead. It creates issues around how fast code can come out, a problem that needs to be resolved before the cloud can truly be adopted at scale. As a bonus, it creates roadblocks to dealing with security threats and consistent security adoption across the organization. If IT and your business are moving fast, and security (as well as compliance) is going slowly, two things are likely to happen: First, IT breaks and then everything breaks. And second, security gets left behind. It’s a lose-lose proposition.
The cloud ideal: Shift left to scoped collaborative responsibility
The goal is to improve development velocity by shifting your security and compliance practices into the development pipeline — and automating responsibility boundaries as configuration and policy. In this way, you generate immediate feedback to developers at every stage, making sure issues can be corrected and nothing breaks through the guardrails you have set.
We see the workflow like this:
How Google Cloud can help you map this journey
Google Cloud launched a risk and compliance as code (RCaC) solution to allow organizations to enable security and continuous compliance through code. The key building blocks of the solution are tools and best practices that allow you to strengthen your capabilities for preventative controls, detections, and drift remediation.
The “as code” approach also allows — with appropriate systems in place — to create robust audit trails for changes and other activities that make the change management dramatically easier. Of course, this is only transparent and auditable if the auditors can understand what the code states and what controls are being enforced. Compliance and audit teams need to transform and grow these skills to reap the benefits.
With RCaC, our goal is to provide your financial services organization with the necessary components to express security and compliance requirements as code and shift left.
Even when fully embraced by an organization, this transformation is a multiyear journey. Implementing RCaC requires substantial policy, architectural, and cultural changes for all organizations with traditional IT. Financial services organizations from leadership on down should evolve their mindset from compliance being either reactive or being perceived as a “check box” exercise, or what’s often referred to as “point in time” compliance, to continuous compliance.
The RCaC framework looks like this:
Through the RCaC solution, you can introduce automation via infrastructure as code (IaC) and policy as code (PAC) in the form of blueprints. This lays the foundation for preventative controls. It’s what enables security and compliance practices to shift left — by evaluating IaC and PaC templates for security and compliance violations before they’re used in a build.
The benefits of adopting the X as code framework
With RCaC, our goal is to provide your financial services organization with the necessary components to express security and compliance requirements as code and shift left. This in turn can lead to reduced risk and impact of misconfigurations. You’re building a compliance and security monitoring environment based on automation and code.
Equally important, you’re taking the necessary steps to encourage a shift in your organization’s culture to merge historical silo objectives into one common organizational objective to reduce friction between developers and security and compliance teams.
The IT and business benefits are clear: Cloud security becomes more consistent and repeatable, because security keeps up with IT speed instead of dragging it down. What’s more, continuous compliance becomes easier to audit.
