The journey to cloud security requires a perspective change from DevOps to DevSecOps

The journey to cloud security requires a perspective change from DevOps to DevSecOps

Cloud computing is core to digitalization and modernization initiatives. The agility, scalability and flexibility helps IT organizations address business transformation initiatives more quickly. The cloud provides fast and convenient access to the services needed to serve any industry working in today’s fast-paced, on-demand, World.

Today, business leaders are increasingly relying on Infrastructure-as-a-service (IaaS) providers to enable digital transformation strategies in order to keep a competitive edge in global markets. Nearly every enterprise is running business-critical applications in the cloud as part of a digital transformation initiative.

However, because the cloud computing market isn’t as mature as traditional on-premises data centers,  the security and risk standards for cloud security are still being defined or don’t exist. What’s more, the elastic nature of cloud computing enables developers to build and test code faster. Untethered from traditional IT operations, the responsibility of ensuring the least privilege principle has shifted to less security and risk-savvy teams. As a result, DevSecOps is now becoming top-of-mind for organizations managing infrastructure and services in the cloud.

Organizations must adopt a governance mindset focused on the intersections where people, devices and automated IT services access the systems used to deliver business processes.

Insufficient control policies can lead to Separation of Duty violations or data leaks, and code misconfigurations can lead to high-risk transaction errors. The traditional infrastructure’s data security methods for protecting on-premises assets, data and workloads cannot be applied in the same manner to IaaS environments.

Recent statistics show that as many as 7% of all AWS S3 Buckets are completely publicly accessible without any authentication and 35% are unencrypted. These incidents from the past six months demonstrate that many high-value data stores are at risk in Cloud environments.

LA County – May 2018

  • Risk Exposed: 3.5 million calls and a substantial amount of personally identifiable information.
  • Overview: The nonprofit organization that operates Los Angeles County social services hotline inadvertently exposed personal information that was stored online, according to county officials and a private security firm that discovered the vulnerability.

Open Memcached Server Exploit – March 2018

  • Risk Exposed: 95,000 Servers Vulnerable to Abuse
  • Overview: A Massive 1.7 Tbps Reflection/Amplification attack exploited open Memcached servers to launch massive distributed denial-of-service attacks.

FedEx – February 2018

  • February 2018 Risk Exposed: Private info on thousands of FedEx customers including 19,000 scanned documents such as passports, driver’s licenses and security IDs.  
  • Overview: An open S3 server belonging to Bongo International, a company FedEx purchased in 2014 and which became part of the shipping firm’s now-shuttered FedEx CrossBorder service.

DevOps processes have significantly impacted the ways in which organizations build and deploy cloud-based infrastructure and software services. The elastic, flexible and on-demand nature of cloud computing makes it so simple to spin-up a robust and fully-functioning workload.

The problem is, the rapid pace of business today requires the ability to swiftly deploy workloads, resulting in massive number of nonsecure workloads. This brings to light the mindset that IT operations and application owners need to develop and deliver transactional services that are secure and compliant.

With this change in methodology, security and compliance controls need to be implemented much sooner in the path to production.  We applaud the efforts from cloud providers like AWS, Microsoft and Google for calling attention to, and fostering a shared responsibility model. Security, as a practice, and as a mindset can prepare the industry for the next evolution of digital transformation. The current rate of data leaks and breaches from misconfigurations continue to cost organizations millions each year in paid consulting services and failed audits.

It doesn’t need to be this way. Saviynt focuses on listening to our customers’ use cases and their risk viewpoint.  Then, we address their challenges by identifying and implementing the risk and compliance controls they require as a cloud-based solution  that can also unveil areas of potential risk so the experts (our customers) can make informed decisions.

Amie Johnson

About author

Amie Johnson, covers messaging strategy for Saviynt. Her tech career includes a mix of roles and technologies from PR, to Product Marketing and from Mainframe software development to identity and access governance. She specializes in in turning complex technical ideas into simple stories worth sharing at a dinner party.