Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    HOW TO CHOOSE A NETWORK ATTACHED STORAGE (NAS) 2023

    March 27, 2023

    MICROSOFT DATAVERSE, USER-ORIENTED INFORMATION

    February 15, 2023

    Does the Linux Operating System need Linux Antivirus Software?

    February 11, 2023
    Cyber SnowdenCyber Snowden
    • Cyber Security
    • Cloud Security
    • Internet of Things
    • Tips & Threats
    Cyber SnowdenCyber Snowden
    Home»Cloud Security»Why is Cloud Security In The Hands of Developers
    cloud security
    Abstract security cloud technology background, key lock and could technology background, Vector Illustration.

    Why is Cloud Security In The Hands of Developers

    0
    By Usama Amin on November 2, 2022 Cloud Security

    Developer security first is the future in the cloud. After all, the responsibility for cloud security rests with developers and DevOps teams, not IT security.

    In the days of the on-premises data center and early cloud adoption, application developers, infrastructure operations, and security roles were largely silent. In the cloud, this division of labor increases innovation time-to-market, reduces productivity, and invites unnecessary risk.

    In a data center environment, developers create software applications, IT teams create the infrastructure needed to run those applications, and security teams ensure that applications and infrastructure are secure.

    However, developers must build software within the constraints of the underlying infrastructure and operating systems, and security processes dictate how fast everyone can go.

    So, when security discovers a vulnerability in production, the remediation process typically involves all stakeholders—and considerable rework.

    Cloud security disruption and the role of developers

    By freeing teams from the physical constraints of the data center, the cloud is bringing about the most significant shift in the IT industry in decades.

    But it took years for organizations to start unlocking the true potential of the cloud as a platform for building and running applications rather than using it as a platform for hosting third-party or data center-migrated applications.

    When the cloud is used simply as a “remote data center,” the classic division of labor is transferred, and much of the cloud’s potential is not realized.

    But the shift to using the cloud as a platform to build and run applications is disrupting security in profound ways.

    From a cloud customer perspective, platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are 100% software, and developers are now programming the creation and management of their cloud infrastructure as an integral part of their applications.

    This means that developers are designing their cloud architecture, configuring critical security settings, and then constantly changing them.

    An opportunity for organizations

    This shift represents a massive opportunity for organizations operating in highly competitive industries because application and cloud teams can innovate much faster than in a data center.

    But it presents a severe challenge for teams that need to secure increasingly complex and highly dynamic cloud environments.

    An effective way to address cloud security today is to empower developers who build and operate in the cloud with tools that help them move forward with security.

    Failing to do so makes security the limiting factor in how quickly teams can enter the cloud and how successful digital transformation can be.

    To understand what it means to empower developers in cloud security, we need to define what we mean by the developer. It’s a broad umbrella covering several different roles, including:

    • Application developers who build in the cloud and leverage native cloud services as integral components of the application. In this model, the boundary between application and infrastructure is arbitrary and fuzzy, if not disappearing altogether.
    • Cloud engineers (i.e., devops) who use infrastructure as code (IaC) to program the configuration, deployment, and management of cloud infrastructure environments and deliver that infrastructure to application developers.
    • Cloud security engineers use policy as code (PaC) to express security and compliance policies in a language other applications can use to automatically validate security and sell these PaC libraries to teams across the organization.

    Regardless of their job descriptions, developers control their cloud computing infrastructure because the cloud is entirely software-defined.

    When they build apps in the cloud, they also create the infrastructure for the apps using IaC, and developers own that process.

    Cloud Security policy and compliance as code

    This means that the internet security team’s role has evolved to become that of the domain expert who imparts knowledge and rules to developers to ensure they work in a secure environment.

    Instead of expressing these rules in human language for others to understand and interpret, they use PaC, which checks other code and running environments for unwanted conditions.

    The PaC empowers all cloud stakeholders to operate securely without ambiguity or disagreement about the rules and how to apply them at both ends of the software development lifecycle (SDLC).

    Organizations that understand security in the cloud advocate adopting the DevSecOps model and allow developers to ensure the safety of applications after deployment.

    IDC predicts that an increasing number of developers (over 43 million by 2025) will be fully responsible for their code’s ongoing performance and security once it is running.

    For some time, applications have involved an SDLC that includes building, testing, deployment, and monitoring phases.

    The “left shift” movement in application security has generated significant ROI in speed, productivity, and security because it is easier, faster, and safer to fix problems early in the lifecycle.

    With the adoption of IaC, cloud infrastructure now has its own SDLC, meaning that cloud security can and should be addressed in the pre-deployment phases.

    Lack of security in the developer’s configuration

    The main concern with cloud security is misconfiguration, but it is essential to recognize that misconfiguration on the part of developers.

    This is anything in your cloud environment that proves to be ineffective in stopping a hacker. We are most familiar with the unique resource misconfigurations that are often highlighted in news coverage of cloud breaches, such as leaving a dangerous door open or allowing public access to an object storage service.

    But misconfigurations also involve a misconfiguration of the entire environment – ​​the architectural vulnerabilities that give attackers the power to discover, move and extract data.

    Every major cloud breach involves exploiting these design flaws in cloud environments — or compromising the control plane.

    The control plane is the surface of the API configuring and operating the cloud. For example, you can use the control plane to build a container, modify a network route, and gain access to data in databases or database snapshots.

    (Accessing snapshots is more popular with hackers than hacking live production databases.) In other words, the API control plane is the collection of APIs used to configure and operate the cloud.

    The role of APIs

    APIs power cloud computing. They eliminate the need for a fixed IT architecture in a centralized data center.

    The APIs also mean that attackers don’t have to respect the arbitrary boundaries companies set around the systems and data stores in their on-premises data centers.

    While identifying and correcting misconfigurations is a priority, it is essential to understand that misconfigurations are only a means to an attacker’s goal: control plane compromise.

    This has played a central role in every significant breach in the cloud to date.

    Empowering developers to secure the cloud

    Enabling developers to find and fix cloud misconfigurations when developing IaC is critical, but equally important is providing them with the tools they need to design a cloud architecture that is inherently secure against today’s control plane compromise attacks.

    There are five steps any organization can take to effectively enable developers to operate securely in the cloud:

    Understand your cloud and SDLC environment

    Cloud Security teams must embed engineers into the Applications and DevOps teams to understand everything that is running, how it is configured, how it is developed and deployed, and changes as they happen.

    You must know which applications are associated with cloud resources, any data, and how they are used.

    Think Like a Hacker to Identify Control Plan Compromise Risks

    Prioritize secure design and avoid misconfigurations. Once a control plane compromise attack is in progress, it is often too late to stop.

    Adequate security in the cloud requires preventing the conditions that make these attacks possible.

    Build security across the cloud SDLC to detect misconfigurations before they are deployed and focus on designing inherently secure environment architectures.

    Empower developers with tools that guide them through security

    Developers are moving fast, and any security tool needs to work the way it does if we expect adoption without impacting speed.

    Cloud security tools should provide developers with helpful, actionable feedback on security issues and how to quickly fix them so they can get on with their work.

    Adopt policy as code for cloud security

    PaC helps security teams scale their efforts with the resources at their disposal, empowering all cloud players to operate securely without ambiguity or disagreement about the rules and how they should be enforced.

    It aligns all teams under a single source of truth for policy, eliminates human error in interpreting and enforcing policy, and enables cloud security automation (assessment, enforcement, etc.) at every step of the SDLC.

    Focus on measurement and process improvement

    Cloud security is less about intrusion detection and monitoring networks for nefarious activities and more about improving cloud security processes to prevent exploits from happening.

    Successful cloud teams continually assess the risk of their environment and the productivity of developers and security teams, which must improve as manual and error-prone tasks are automated.

    Regarding cloud security, developers are in the best position to secure their code before deployment, keep its integrity secure during execution, and better understand the specific places to provide patches in the code.

    But they are also error-prone humans operating in a world of constant experimentation and failure. Automation built into PaC eliminates the risk of human error by automating the process of constantly finding and detecting errors before they are deployed.

    Organizations that take a developer-first approach to cloud security will innovate faster and more securely than their competitors.

    Previous ArticleBrowser Extensions – They Are More Dangerous Than You Think
    Next Article Zero Trust — New Concept of Cybersecurity
    Usama Amin

    Usama Amin is a Security blogger focusing on Cyber Security, Cloud Security, and IoT. He has worked as SR. Security Consultant for more than 10 years for industry-leading IT companies. James' experience also includes working as a legal expert witness for Cyber management. He writes about industry technology trends and best practices. He incorporates his views and his many years of experience to provide unique technology advice for people that manage and support Cyber solutions.

    Related Posts

    HOW TO CHOOSE A NETWORK ATTACHED STORAGE (NAS) 2023

    March 27, 2023

    MICROSOFT DATAVERSE, USER-ORIENTED INFORMATION

    February 15, 2023

    Cyber Security in 2023: Our Predictions

    January 27, 2023

    What are the big questions about cloud security?

    December 4, 2022
    Editors Picks
    Top Reviews

    How to strengthen the security of the Internet of Things (IoT)

    By Usama Amin
    Advertisement
    • Privacy Policy
    • Contact Us
    • TERMS AND CONDITIONS
    • Write For Us
    © 2023 CyberSnowden. Designed by Cybersnowden.

    Type above and press Enter to search. Press Esc to cancel.