According to Cybersecurity Ventures, worldwide spending on cybersecurity will top $1 trillion between 2017 and 2021. From the barrage of cyberattacks on enterprises to new threat vectors within networks due to the move to the cloud, CIOs and CISOs have more concerns with cybersecurity than ever before. Cloud has brought benefits such as agility, scalability, and cost savings to business. Unfortunately, more often than not, security can't keep up.
Many businesses have witnessed the benefits of cloud firsthand. To enable developers to do what they want, when they want, as fast as they want, they are adopting an “always-on” culture to streamline inefficiencies and maximize productivity; however, this degree of freedom doesn't come without security challenges.
Achieving agile security in the cloud is a challenge many companies are beginning to face as they deploy cloud environments. To create a security mindset among developers while providing security tools that matched the pace of development, businesses are using new technologies, best practices and a DevSecOps approach to accelerate innovation while maintaining security. These tactics allow developers to securely tap into cloud infrastructure and agile development without slowing innovation. Below are 10 guidelines that will help your organization achieve agile security.
1. Change the Mindset of Dev and Ops Teams – Developer and operations teams often see security as the anchor dragging productivity in the sand. While cloud has brought these two closer together, security is often an outlier. Introduce a new perspective that demonstrates how security can keep up with the pace of development, from day one.
- Introduce a DevSecOps Approach to Security Teams – In order to move on projects and continuously iterate and deploy new products and solutions, enlist security teams to become “security as a service,” allowing them to operate as a supplier within your organization's walls. Make sure rapid response teams are running 24/7, and that product security teams are aligned with the same trajectory as the rest of the organization.
- Standardize on Core Security Principles – To achieve an “always on” culture while maintaining an agile and secure state, aim to execute on three core security principles that map back to DevSecOps: API-driven security, security at speed, and security on-demand.
- Adopt “API-driven security” – Steer away from traditional security systems managed by people logging into a console. By taking the human element away from the process, your organization can establish a continuous integration methodology, which gives consistency of delivery. For example, if a security policy needed to be adjusted, you'll only do it once, eliminating inconsistency in the system or unnecessary outages.
- Create a Security Rapid Response Team – Fast response times are imperative to giving a tech company competitive advantage. To enact “security at speed,” implement continuous measuring, testing and monitoring in an effort to iterate quickly.
- Make Use of the Cloud – To achieve “security on-demand,” deploy cloud-based technology to ensure your security posture was never static. Your organization can also work closely with leading enterprise security vendors to build scalable commercial and technical models to allow for on-demand security systems. This gives your security teams the ability to scale infrastructure up and down as needed.
- Deploy a Code-Driven Security Infrastructure – Security shouldn't have to be built up from scratch over and over. Deployment of a code-driven security infrastructure allows for the repeatable and automated build and management of security systems.
- Prioritize Visibility and Management – Your organization will likely want to pay for what it uses rather than peak cloud usage. Work with Amazon Web Services and other vendors allows you to adopt an agile, responsive approach to infrastructure and to build dynamic commercial and support models. End-to-end visibility allows you to take a granular approach to managing configuration of open-source tools that help the security team keep track of deployment, usage and management of cloud services.
- Adopt Elasticity and Automation – As a central tenant of a defense in depth strategy, use an automated security solution to monitor, detect and defend at the Host level. This strategy is central to the agile approach to security, from deployment through to operations.
- Secure Support from Decision-Makers – Buy-in and support from key decision-makers enforces intention. To solidify its support of agile security, round up your decision makers and demonstrate support from soup to nuts. Security and speed are not mutually exclusive; if a security team isn't agile, it can block the pace of an organization. Once the effort is supported from the top, you'll achieve continuous and secure innovation with agile security.