Driving Value in the Cloud: Standardizing and Automating Cloud Application Security

As companies continue to migrate their assets to the cloud, many struggle to realize the benefits that cloud services offer, such as increased innovation, agility, and resilience. Cloud security plays a large role in this problem, due to the constantly evolving threat landscape and sheer amount of security solutions offered across the market — placing the onus of security on customers.

Mature cloud security operations are key to driving value for cloud-first organizations, but most fail to craft a holistic strategy that drives the transformation of people and processes in alignment with changing technologies.

Assessing the challenge

Complexity is at the heart of the problem, with fragmented cloud operations overwhelming the teams responsible for executing security activities. Common missteps usually take place early in ideation and design, and ‘snowball’ across the cloud development lifecycle.

The challenges inherent in the cloud development lifecycle can be illustrated across three phases.

The principle of ‘shift security left’ is more important than ever when deploying to the cloud. Some organizations can require up to 100 days to complete pre-build processes, and often still face challenges in build and monitor. Security requirement identification, risk assessment, and design approval grow increasingly fragmented as teams are forced to ‘reinvent the wheel’ for each new or changed application. Rework and duplication cause delays for security stakeholders and high costs for organizations.

Embracing a paradigm shift

Inflating costs and complexity associated with cloud operations have sparked the shift towards automation through Infrastructure as Code (IaC). In recent years, IaC has become accepted as the gold standard for securing cloud workloads and mitigating many of these security challenges by enabling the secure storage and versioning of reusable cloud infrastructure. This in turn improves developer productivity through improved collaboration, scalability, and automated reporting.

Both cloud service providers and highly regulated entities have rushed to embrace this approach: in 2021, the Department of Defense published its customer-facing, secure IaC repositories, playbooks, and hardened container images, while in recent months Amazon released a library of code templates to support the implementation of secure reference architectures in AWS environments.

While IaC presents a clear opportunity to realize the benefits of the cloud, there are no shortcuts. Automation relies on mature, standardized and measurable processes that are implemented with rules, as well as people who are willing and able to support them.

Defining a new solution

Our approach to transforming secure cloud operations considers security processes within and across each phase of the cloud development lifecycle to systematically unlock efficiencies down the value chain.

Maximum value is realized through the transformation of pre-build processes, resulting in the ability to automate build and monitor. We have designed a self-optimizing solution that takes advantage of technical synergies across an enterprise application portfolio to deliver accelerated paths to deployment through pre-approvals and reusable artifacts and recommend four main steps:

1. Define application security archetypes. The first step involves grouping applications into application “archetypes,” by identifying attributes or specifications that are likely to result in common security requirements based on risk profile and business context. Alignment with a common framework, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

2. Identify in-scope controls and define security requirements. Once an archetype has been defined, security teams can identify in-scope security controls for the group of applications. This requires an understanding of the various attributes and implications to identify in-scope security and privacy controls from relevant laws, regulations, and frameworks. Teams then map existing policies and define organization-specific requirements to infuse context.

3. Draft security patterns. Security teams must draft security ‘patterns’ against in-scope controls and requirements. Security patterns enhance security requirements through translation into actionable descriptions that are intuitive for developers. Patterns must be written to a level of specificity that enables automation in the build phase, such as through IaC.

4. Pre-approve security plan. The comprehensive list of security requirements and patterns for a given application archetype comprises the security plan. Owners of the security plan may circulate the requirements and patterns for approval through standard processes, such as across various assessment teams and including security engineers to validate the actionability of patterns. Large organizations may seek approvals from a variety of experts and assessors, such as those involved with identity, business continuity, legal affairs, human resources, and more. Each expert or team engaged is instrumental in ensuring the plan is sufficient to enable an accelerated path to development.

This pre-build process solution can be enhanced even further by designing a centralized, automated cloud intake tool to match a common application’s attributes to a security archetype. Product owners that input the new or changed application attributes receive a set of applicable and standardized controls, requirements, and security patterns.

Building an inventory

At the end of this pre-build process, organizations achieve an established, reusable security plan by which applications can accelerate through design and approval processes. As the number of pre-approved security plans grows, the number of accelerated paths to ‘build’ increase, crystallizing the value proposition of the self-optimizing process.

Then organizations must consider build and monitor processes. A similar principle can be applied to the ‘build’ phase through the automation of security patterns, and subsequent reuse of secure IaC, which scale to enable faster deployments over time. Once an application reaches ‘monitor,’ these standardized architectures allow for seamless continuous monitoring and improved audit and reporting activities. Organizations that prioritize the buildout of these repositories realize a future-proofed solution with increased cyber resilience and speed to value for app development.

Last — and certainly not least — organizations must redesign their cloud operating models to align people with process and open channels of communication across the cloud development lifecycle. Embracing new ways of working and ongoing innovation are critical to achieving ever increasing deployment speeds, reduced developer time and transformational results overall.