Industry Trends

Defining Cloud Security Ownership with DevSecOps

By Fortinet | November 26, 2019

This is a summary of an article written for by Lior Cohen, Fortinet’s Senior Director of Products and Solutions, Cloud Security. The entire article can be accessed here.

The more digitally mature a company becomes, the deeper it gets into cloud services - introducing complexity into operating environments. As organizations try to manage their growing body of digital networks and cloud services, the dividing line of responsibility is increasingly blurred. At larger organizations, this complexity is amplified as various lines of business manage their own cloud budgets and development resources.

While that may work well for the departments who benefit from managing their own digital partnerships, it presents a challenge where security is concerned. Among the different parties involved – IT, lines of business, or the cloud provider – who’s responsible for the various aspects of security?

Without end-to-end visibility, IT managers struggle to implement a centralized security strategy and consistent security policies. As a result, important data is increasingly put at risk.

Shared Responsibility Model Creates Gray Areas

Gray areas in the shared responsibility model lead to security gaps. This is especially complex when leveraging tools obtained in the cloud marketplace.

Cloud providers offer a host of solutions, add-ons, and security solutions through cloud marketplaces. While it might seem that these tools, purchased through the cloud provider, would fall under their responsibility, the reality is that once the customer configures these tools, they agree to take responsibility for their security. Unfortunately, accepting responsibility doesn’t always correlate with understanding what’s entailed.

The best solution to determining who is responsible for a security event (vendor, provider, or customer) is to employ root cause analysis (RCA). RCA will identify any potential threats, determine the root cause of the event, and then plot a course of action. This typically involves notifying key stakeholders, initiating threat analysis, establishing processes to orchestrate responses and resources between all parties, and digitizing/mapping details to the related cloud technologies.

Determining Security Responsibility

If the first course of action is to parse out exactly who’s responsible for what (among vendors, providers, and customers), the next step is to zoom in and decide who’s responsible within the organization.

If responsibility does lie within the organization, managers will have to engage in a level of granularity that they may not be accustomed to. Part of the challenge is that many organizations have taken an ad hoc approach to their cloud development strategies. Today’s organizations often have dynamic cloud environments in place, each of which might be owned by a different internal department who worry that interference from the central IT team can harm performance.

These teams fear losing the very benefits that enticed them to move to cloud services in the first place: speed, flexibility, and control. One such example is DevOps, where speed and efficiency are crucial for delivering business-critical applications. Any security implementation that hinders speed will be seen as threatening their primary objectives.

Traditional IT teams and DevOps teams are often at odds here. IT will suggest the use of security tools that DevOps see as causing bottlenecks, which runs counter to their primary objectives. However, while DevOps may be highly proficient at building out applications, they often lack the expertise to do so securely.

Achieving Security and Performance with DevSecOps

One solution that seems to work for organizations who find themselves in this fix is to add a cybersecurity specialist to each DevOps group to create a “DevSecOps” team. This DevOps security specialist (or team of specialists) can guide application developers through the shared responsibility model, helping them stay on track with both development and security requirements. They’re also there to provide strategies for consistent security policies across and between all their cloud instances, all while protecting the DevOps mission of achieving high performance.

Once a DevSecOps has been created, these teams can effectively select, deploy, and manage tools that will better equip them to meet both goals of speed and security. Take, for instance, the use of security solutions that are offered as a service (SaaS). Cloud-based web application firewalls, for example, can self-scale. That allows web apps to grow as needed, without compromising security. The right tools can also be eased into deployment with minimal effort. Some even have built-in functions that cover security during deployment, maintenance, scaling, and for all the fine-tuning that needs to take place throughout ongoing use and development.

Automation also plays an important role. Set up properly, automated processes can check configurations and scan for malware – two processes that are often put on the back burner due to the time and resources required to perform them manually. The DevSecOps team can help select and design the right automated cloud security solutions that cover all the right security bases:

  • Automatically scanning for vulnerabilities in the public cloud
  • Automatically assessing tool configurations
  • Dynamically securing stored data
  • Pinpointing misconfigurations
  • Scanning files in the cloud
  • Protecting sensitive information by preventing unauthorized downloads

Executive Support is the Key Ingredient

As digitization becomes a key differentiator in today’s marketplace, it’s more apparent to leaders that web applications (and how they’re managed) are a critical component of any successful business strategy. DevOps objectives, as a result, have moved up into the C-suite and are now a common agenda item at board-level discussions.

However, as executives push to accelerate their digital transformation initiatives, the security risks mount as they lose sight of how the aggressive pace of cloud adoption and ad hoc application development can complicate security matters.

Moving from DevOps to DevSecOps means that security can now be a priority from day one of each instance of a new cloud environment. DevSecOps team can also develop the necessary RCA cloud security playbooks and ensure that those guidelines are followed. They’ll also help select security solutions designed to protect the company’s growing body of digital resources while preventing unreasonable risks from entering the environment. DevSecOps can even directly affect the bottom line when they help prevent violations against regulatory requirements and the fees and penalties that come with them.

Any one of these DevSecOps benefits should be reason enough to make executive stakeholders take notice and offer full support going forward.

This is a summary of an article written for by Lior Cohen, Fortinet’s Senior Director of Products and Solutions, Cloud Security. The entire article can be accessed here.

Learn more about how Fortinet’s dynamic cloud security solutions give organizations the confidence to deploy any application on any cloud infrastructure. 

Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.