Developer security first is the future in the cloud. After all, the responsibility for cloud security rests with developers and DevOps teams, not IT security.
In the days of the on-premises data center and early cloud adoption, application developers, infrastructure operations, and security roles were largely silent. In the cloud, this division of labor increases innovation time-to-market, reduces productivity, and invites unnecessary risk.
In a data center environment, developers create software applications, IT teams create the infrastructure needed to run those applications, and security teams ensure that applications and infrastructure are secure.
However, developers must build software within the constraints of the underlying infrastructure and operating systems, and security processes dictate how fast everyone can go.
So, when security discovers a vulnerability in production, the remediation process typically involves all stakeholders—and considerable rework.
Cloud security disruption and the role of developers
By freeing teams from the physical constraints of the data center, the cloud is bringing about the most significant shift in the IT industry in decades.
But it took years for organizations to start unlocking the true potential of the cloud as a platform for building and running applications rather than using it as a platform for hosting third-party or data center-migrated applications.
When the cloud is used simply as a “remote data center,” the classic division of labor is transferred, and much of the cloud’s potential is not realized.
But the shift to using the cloud as a platform to build and run applications is disrupting security in profound ways.
From a cloud customer perspective, platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are 100% software, and developers are now programming the creation and management of their cloud infrastructure as an integral part of their applications.
This means that developers are designing their cloud architecture, configuring critical security settings, and then constantly changing them.
An opportunity for organizations
This shift represents a massive opportunity for organizations operating in highly competitive industries because application and cloud teams can innovate much faster than in a data center.
But it presents a severe challenge for teams that need to secure increasingly complex and highly dynamic cloud environments.
An effective way to address cloud security today is to empower developers who build and operate in the cloud with tools that help them move forward with security.
Failing to do so makes security the limiting factor in how quickly teams can enter the cloud and how successful digital transformation can be.
To understand what it means to empower developers in cloud security, we need to define what we mean by the developer. It’s a broad umbrella covering several different roles, including:
- Application developers who build in the cloud and leverage native cloud services as integral components of the application. In this model, the boundary between application and infrastructure is arbitrary and fuzzy, if not disappearing altogether.
- Cloud engineers (i.e., devops) who use infrastructure as code (IaC) to program the configuration, deployment, and management of cloud infrastructure environments and deliver that infrastructure to application developers.
- Cloud security engineers use policy as code (PaC) to express security and compliance policies in a language other applications can use to automatically validate security and sell these PaC libraries to teams across the organization.
Regardless of their job descriptions, developers control their cloud computing infrastructure because the cloud is entirely software-defined.
When they build apps in the cloud, they also create the infrastructure for the apps using IaC, and developers own that process.
Cloud Security policy and compliance as code
This means that the internet security team’s role has evolved to become that of the domain expert who imparts knowledge and rules to developers to ensure they work in a secure environment.
Instead of expressing these rules in human language for others to understand and interpret, they use PaC, which checks other code and running environments for unwanted conditions.
The PaC empowers all cloud stakeholders to operate securely without ambiguity or disagreement about the rules and how to apply them at both ends of the software development lifecycle (SDLC).
Organizations that understand security in the cloud advocate adopting the DevSecOps model and allow developers to ensure the safety of applications after deployment.
IDC predicts that an increasing number of developers (over 43 million by 2025) will be fully responsible for their code’s ongoing performance and security once it is running.
For some time, applications have involved an SDLC that includes building, testing, deployment, and monitoring phases.
The “left shift” movement in application security has generated significant ROI in speed, productivity, and security because it is easier, faster, and safer to fix problems early in the lifecycle.
With the adoption of IaC, cloud infrastructure now has its own SDLC, meaning that cloud security can and should be addressed in the pre-deployment phases.
Lack of security in the developer’s configuration
The main concern with cloud security is misconfiguration, but it is essential to recognize that misconfiguration on the part of developers.
This is anything in your cloud environment that proves to be ineffective in stopping a hacker. We are most familiar with the unique resource misconfigurations that are often highlighted in news coverage of cloud breaches, such as leaving a dangerous door open or allowing public access to an object storage service.
But misconfigurations also involve a misconfiguration of the entire environment – the architectural vulnerabilities that give attackers the power to discover, move and extract data.
Every major cloud breach involves exploiting these design flaws in cloud environments — or compromising the control plane.
The control plane is the surface of the API configuring and operating the cloud. For example, you can use the control plane to build a container, modify a network route, and gain access to data in databases or database snapshots.
(Accessing snapshots is more popular with hackers than hacking live production databases.) In other words, the API control plane is the collection of APIs used to configure and operate the cloud.
The role of APIs
APIs power cloud computing. They eliminate the need for a fixed IT architecture in a centralized data center.
The APIs also mean that attackers don’t have to respect the arbitrary boundaries companies set around the systems and data stores in their on-premises data centers.
While identifying and correcting misconfigurations is a priority, it is essential to understand that misconfigurations are only a means to an attacker’s goal: control plane compromise.
This has played a central role in every significant breach in the cloud to date.
Empowering developers to secure the cloud
Enabling developers to find and fix cloud misconfigurations when developing IaC is critical, but equally important is providing them with the tools they need to design a cloud architecture that is inherently secure against today’s control plane compromise attacks.
There are five steps any organization can take to effectively enable developers to operate securely in the cloud:
Understand your cloud and SDLC environment
Cloud Security teams must embed engineers into the Applications and DevOps teams to understand everything that is running, how it is configured, how it is developed and deployed, and changes as they happen.
You must know which applications are associated with cloud resources, any data, and how they are used.
Think Like a Hacker to Identify Control Plan Compromise Risks
Prioritize secure design and avoid misconfigurations. Once a control plane compromise attack is in progress, it is often too late to stop.
Adequate security in the cloud requires preventing the conditions that make these attacks possible.
Build security across the cloud SDLC to detect misconfigurations before they are deployed and focus on designing inherently secure environment architectures.
Empower developers with tools that guide them through security
Developers are moving fast, and any security tool needs to work the way it does if we expect adoption without impacting speed.
Cloud security tools should provide developers with helpful, actionable feedback on security issues and how to quickly fix them so they can get on with their work.
Adopt policy as code for cloud security
PaC helps security teams scale their efforts with the resources at their disposal, empowering all cloud players to operate securely without ambiguity or disagreement about the rules and how they should be enforced.
It aligns all teams under a single source of truth for policy, eliminates human error in interpreting and enforcing policy, and enables cloud security automation (assessment, enforcement, etc.) at every step of the SDLC.
Focus on measurement and process improvement
Cloud security is less about intrusion detection and monitoring networks for nefarious activities and more about improving cloud security processes to prevent exploits from happening.
Successful cloud teams continually assess the risk of their environment and the productivity of developers and security teams, which must improve as manual and error-prone tasks are automated.
Regarding cloud security, developers are in the best position to secure their code before deployment, keep its integrity secure during execution, and better understand the specific places to provide patches in the code.
But they are also error-prone humans operating in a world of constant experimentation and failure. Automation built into PaC eliminates the risk of human error by automating the process of constantly finding and detecting errors before they are deployed.
Organizations that take a developer-first approach to cloud security will innovate faster and more securely than their competitors.
