A guide for CIOs, CISOs and security professionals looking to shift security left.
Public cloud services have become a critical component of most enterprise technology infrastructure due to inherent development agilities and related cost benefits. The growing popularity of cloud computing has also fueled an increase in system complexity contributing to a new threat landscape where even the smallest misconfigurations can result in unanticipated vulnerabilities and devastating data breaches
While organizations have successfully adopted DevOps methodologies to take full advantage of the cloud’s elasticity and rapid Software Development Lifecycle (SDLC), most have failed to take a commensurate approach with security.
Such organizations may resign themselves to the adage stating “the price of speed is security,” often leaving development team leaders struggling to implement repeatable processes that enable developers of varying skill levels to efficiently find and fix vulnerabilities. However, there is no need to sacrifice security posture for DevOps results. It is possible to adopt a DevSecOps methodology to combat the new challenges arising from the cloud.
In this guide, we will examine the evolving cloud threat landscape, define the DevSecOps methodology, and provide solutions that leverage a CSPM in order to seamlessly shift security left.
What is DevOps and Why is it Causing Issues for Enterprise Security?
Before we define DevSecOps and its related benefits and implementation strategies, let’s revisit the common understanding of what DevOps really means.
“DevOps”, coined in 2009 by Patrick Debois, is a “culture” in which Development and Operations teams work closely with each other to shorten the SDLC. It is characterized by rapid feedback loops and respective iterations. The foundation of DevOps lies in the principles of continuous testing and automation.
DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and it seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology — especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective.
Previously, companies often felt like they had to choose between quickly delivering new features and changes at the expense of a stable production environment versus a stable environment that reeked of stagnation. The DevOps methodology was created to satisfy executives’ demand for stable solutions that can consistently meet new customer demands as well as keep pace with emerging market trends.
DevOps achieves this by integrating all parties associated with development and deployment into a single unit. The diagram below is a useful representation of the DevOps cycle and its different stages.
Key Challenges with DevOps in the Cloud
The Need for Speed
As this shift to DevOps placed a greater emphasis on speed and rapid iterations, it relegated traditional security tools to the digital dustbin. They were rendered too slow and cumbersome for teams attempting to enforce security at speeds similar to this new SDLC. While this issue is significant for all enterprises regardless of their technology stack, it is particularly critical for those utilizing multi-cloud infrastructure, as it is increasingly difficult to identify and remediate security incidents.
The gap between DevOps and Security is further widened by conflicting goals. While developers are focused on fast releases and agility, security processes are geared towards auditing and logging. Legacy security practices require DevOps teams to manually enforce consistent security and compliance controls across dynamic, opaque, and multi-cloud environments at the end of the SDLC, causing bottlenecks and setbacks. While these practices may have been sufficient to secure on-prem data centers, the fluidity of cloud ecosystems requires continuous security and monitoring from inception. The speed of changes to public cloud infrastructure often causes an organization’s security & compliance posture to change radically in as little as 24-hours.
According to McAfee, nearly 92% of enterprises currently use multiple cloud service providers (CSPs) and experience ~3,500 misconfigurations each month. The number of people in the modern enterprise making changes to cloud infrastructures, and the related speed at which these changes take place, leaves cloud workloads extremely vulnerable to misconfigurations.
Below are a few recent examples of simple misconfigurations that resulted in tremendous data breaches:
Veeam: A Swiss-based data company misconfigured a MongoDB hosted on AWS that did not require any password to access, exposing 445 million records.
Facebook Cultura Colectiva: A misconfigured AWS S3 bucket containing Facebook user data was publicly accessible, exposing 540 million records.
Ascension Data & Analytics: A misconfigured Elasticsearch database with ten plus years of data containing 24 million financial and banking documents was not password protected.
Rubrik : A misconfigured AWS Elasticsearch server was not to require password protection, exposing “tens of gigabytes of data, including customer names, contact information and case work for each corporate customers.”
Capital One: An AWS Web Application Firewall (WAF) with misconfigured IAM privileges allowed an intruder to exfiltrate date from critical backend resources. The reported exposure included 140,000 Social Security numbers, 80,000 linked bank account numbers, and 1,000,000 Social Insurance numbers.
LA-based non-profit: A misconfigured AWS S3 bucket containing personally identifiable information, including Social Security numbers, was publicly accessible to everyone on the internet. The incident was estimated to have exposed 3.5 million records.
Imperva: An internal system containing an unencrypted AWS API key was left publicly accessible to the internet. An intruder used the API key to access and exfiltrate data from an Imperva AWS RDS instance. The total size of the exposure is unknown.
As enterprises deploy more services in the public cloud, DevOps teams are inheriting environments to which they have unlimited access while lacking the visibility and controls to properly monitor them. Although the DevOps methodology has unified development and operations processes, security often becomes an afterthought.
The New Threat: Cloud-Native Data Breaches
The routine occurrence of the aforementioned cloud misconfigurations has given rise to a new, less complex technique of data exploitation: Cloud-Native Breaches (CNB).
A series of actions by an adversarial actor in which they ‘Land’ their attack by exploiting errors or vulnerabilities in a cloud deployment without using malware, ‘Expand’ their access through weakly configured or protected interfaces to locate valuable data, and ‘Exfiltrate’ that data to their own storage location.
Consider the following example of a cloud-native data breach on AWS:
“Land” the attack by exploiting a vulnerability. For example, leverage a security group with misconfigured ingress/egress permissions.
“Expand” by exploiting poorly protected applications & databases or weak network controls
“Exfiltrate” the data by copying it to external nodes or remote servers outside of the VPC
Many of the aforementioned misconfigurations can be attributed to a variety of issues such as organizational communication issues or inadequate policy awareness. But, fundamentally, the majority of these misconfigurations have the same cause: Human Error.
Gartner goes as far to say that,
Through 2023, at least 99% of cloud security failures will be the customer’s fault.
Ironically then, the bulk of misconfigurations find their roots in the same soil that attracted enterprises to the cloud in the first place: radically increased development speed.
The same cloud environment that enables DevOps teams to automate the creation and management of cloud resources at scale (via resources like Infrastructure-as-Code (IaC)), also provides for the inherent misconfigurations that are automated and introduced at the same rate.
Common cloud security misconfigurations include:
Inactive data encryption controls
Unrestricted access controls
Inadequate, or excessive, use of identity and access management (IAM) roles
Weak password management policies
Disabled audit logs
Lack of Multi-Factor Authentication (MFA)
Publicly accessible data repositories
In order to combat these challenges, organizations must shift security practices “left” in the modern enterprise SDLC.
Enterprises can prevent CNBs by eliminating the footholds an actor can leverage to “Land” their attack via auditing their IaC at the beginning of the CI/CD pipeline and minimize damage in the event of a compromise by continuously monitoring their infrastructure for security misconfigurations.
This journey begins by adopting a DevSecOps approach.
Enter DevSecOps: The Price of Speed Does Not Have to be Security
What is DevSecOps?
DevSecOps goes one step beyond DevOps, integrating security practices within existing DevOps practices to facilitate a proactive approach to cloud security.
DecSecOps leverages security as a code and infrastructure as code (IaC) to prioritize secure development and speed, effectively baking security into the entire CI/CD pipeline. While DevOps and DevSecOps share the same order, DevSecOps can be thought of as “shifting security left,” affecting rapid identification and remediation of security incidents.
DevSecOps is the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility or speed of developers or requiring them to leave their development toolchain environment.
Characteristics of DevSecOps in Practice:
Security Automation - Building automated security into the tools that already exist in the DevOps pipeline to continuously test at every stage of development.
Shifting Security Left - DevSecOps leverages practices like static code analysis and the principles of “secure by design” to enforce security policies at the beginning of the CI/CD pipeline.
Clear, Unified Security Objectives - DevSecOps enables everyone involved in the DevOps cycle to clearly understand what is allowed and what is not. Security is everyone's responsibility and vigilance is never ending.
So What? Who Cares?
Implementing a DevSecOps approach allows Cloud-based organizations utilizing a DevOps approach to implement a proactive, strategic, and comprehensive security strategy. Aside from the obvious security benefits, DevSecOps can also boost productivity and efficiency in key areas by increasing deployment speeds through the automation of formerly tedious processes for developers. In addition, DevSecOps also often reduces the legal and financial liabilities related to regulatory compliance.
Top Benefits of DevSecOps:
Early Incident Detection - Detecting and remediating security incidents early in the CI/CD pipeline reduces costs and increases the speed of delivery.
Improved Communication - Supports openness and transparency throughout the SDLC.
Security at Scale - Embedding security into the entire CI/CD pipeline results in the “secure by design” principle, improving overall organizational security and simplifying security at scale.
Enhanced compliance - The use of automated, continuous monitoring tools eliminates the need for legacy fire drill audit sprints.
Interested in bringing DevSecOps to your organization?
How to Achieve the DevSecOps Transformation
Attempting to implement or change organizational culture is often difficult. At first glance, transitioning from DevOps to DevSecOps may appear daunting due to the natural friction existing between DevOps and Security teams. There are pathways for successful implementation, however.
There is no step by step guide on how to successfully achieve a DevSecOps transformation. Ultimately the CIO or CISO must perform a comprehensive evaluation of the existing IT infrastructure and DevOps process to determine what additional resources are required to enforce a holistic security policy.
While conducting such an analysis, they should:
Formulate a clear, all-inclusive security policy - This policy should be easy to communicate to everyone within the organization and take into account what industry standards and regulations they are required to comply with.
Automate wherever possible - A successful DevSecOps approach automates as many processes as possible to remove friction between development, operations, and security teams.
Educate and train employees - In order to make DevSecOps successful within your organization, Developers and Security teams need to understand what is happening on the other’s team. Education can help each party appreciate the new procedures, create cross-functional team members, and in turn reduce errors.
Although one cannot purchase DevSecOps, equipping your team with the proper tools is paramount. The shortage of qualified DevSecOps engineers has only exacerbated the criticality of this issue.
What can be done to fill this often unmet need?
Enter Cloud Security Posture Management (CSPM). Enterprises can leverage an intelligent CSPM to automate and assist in securing the CI/CD pipeline. A CSPM can serve as the foundation of the enterprise DevSecOps strategy, allowing the DevSecOps team to do more, with less.
Leverage Cloud Security Posture Management to Shift Security Left
CSPM offerings continuously manage cloud risk through the prevention, detection, response and prediction of where excessive cloud infrastructure risk resides based on common frameworks, regulatory requirements and enterprise policies.
In this guide we will focus on the CSPM features most pertinent to facilitating a DevSecOps transformation. If you wish to dive deeper into the details of what a CSPM is, click the above linked guide.
How SECBERUS Can Help
SECBERUS Cumulus Cyber-IQ allows DevSecOps teams to enforce strategic multi-cloud, multi-vendor security practices via continuous infrastructure security and compliance assessments across the entire CI/CD cycle.
SECBERUS allows enterprises to prevent cloud misconfigurations from ever reaching production environments by monitoring infrastructure-as-a-code, enforcing policy-as-a-code, and seamlessly integrating into the CI/CD pipeline.
As cloud infrastructure changes and scales, SECBERUS provides DevSecOps teams with mission-critical information so they can focus all of their time remediating misconfigurations while eliminating their most arduous and time-consuming task; investigating alerts.
SECBERUS departs from the traditional, top-down cloud security model in which security and compliance data is segregated at the account and cloud service provider level. SECBERUS infrastructure is built to ingest data from any cloud provider and enable users to run custom rules/policies against any combination of sources to gain a holistic view of their cloud attack surface.
This innovation is described as “Policy-as-a-Service”.
Support the DevSecOps Transformation with Policy-as-a-Service
With Policy-as-a-Service, enterprises can build and implement a fully customized cloud security strategy incorporating any data source and business logic. In the SECBERUS model, users receive cloud-agnostic policies, which can then be connected to any account from any data provider.
For example, a user could assign the SECBERUS PCI policy to accounts in their AWS, GCP, and Azure environments. The user can then monitor all of the relevant resources' PCI posture from a single policy, no matter where they reside.
Implementing Policy-as-a-Service unifies your security posture, allows for customized security strategies to be implemented and continuously monitored, and saves your DevSecOps team valuable time.
Get Started with SECBERUS, the CSPM for the Modern Enterprise