Micro Focus is now part of OpenText. Learn more >

You are here

You are here

DevSecOps and hybrid cloud: 4 items for your security checklist

public://pictures/lucyk.jpg
Lucy Kerner Security Evangelist and Strategist, Red Hat
 

Cyberattackers are looking for the path of least resistance into enterprise systems and networks. Consider the raft of recent cyberattacks—Kaseya, Colonial Pipeline, SolarWinds, Capital One, Weight Watchers; the list goes on and on. Human error is the common thread. Indeed, Gartner has said that, through 2025, 99% of cloud security-related issues will be the result of human error. Think misconfigurations, compromised (or no) passwords, unpatched systems, and so on.

It’s not that developers and IT pros are purposely neglecting security. Quite the opposite. What’s happening is that everyone is working at a frenetic pace to meet customer demand, while dealing with an evolving computing environment—hybrid cloud, containers, Kubernetes, open-source technologies, and so on—that provides many benefits but also the potential for increased risk.

So, if humans and applications are the weak link in organizations’ security chain, and if organizations depend on its humans and applications, does that mean that no business can ever be secure? Nothing can be completely bulletproof, but there are many things your company can do to establish and maintain a strong security posture.

It's time to lock down your application security practices. Here are four items for your team's checklist.

1. Expand security to data—wherever it is

In many ways, security recommendations today are the same as they were 20-plus years ago: Practice defense in depth, and take a layered approach to security that addresses people, processes, and technology.

However, the combination of hybrid cloud, containers, Kubernetes, and other computing models adds new dimensions and considerations. For example, when it comes to data security, organizations must look at the lifecycle of data across a hybrid environment to secure data at rest, data in motion, and data in action. The CIA triad of confidentiality, integrity, and availability can be applied, but the model must expand to wherever your data lives, whether it’s on premises, in the public cloud, or at the edge. Specifically, look at who has access to the data, whether the data is trustworthy and unmodified, and whether the data is appropriately accessible when needed.

Cloud data protection must be applied at each layer, from cloud images to cloud hosts and the cloud platform. Specifically, this layered data protection should include:

  • Image scanning, signing, and blueprinting
  • Host hardening
  • Platform delegation practices

2. Decide on a software supply chain security strategy

In today’s environment, the security of a single company depends on the security of its software supply chain, especially with the growth of workloads moving to the cloud and developers having more power in the application pipeline and lifecycle.

Not surprisingly, cyberattackers are taking advantage of this shift, and attacks on the software supply chain are increasing. The SolarWinds attack, for example, was the result of malicious code slipped into a “routine” software update.

Unfortunately, there is plenty of room for error. Very few developers are creating code from scratch. With the rise in open source, developers are downloading code from repositories directly off the Internet and bringing that into the organizations’ own software supply chain. Much of the code that’s downloaded off the Internet is not vetted, tested, or curated. A few years ago, for example, 17 tainted Docker containers designed to mine cryptocurrencies were downloaded 5 million times from Docker Hub before being discovered.

Open source provides a host of advantages. In fact, it has been a driving force of digital transformation. However, organizations must put safeguards in place to ensure that they are consuming open-source software securely. It’s an enormous job, and not all companies have the resources to tackle it. If your company cannot answer yes to each of the following questions, it might make sense to transfer your open-source consumption risk to the vendors you are working with:

  • Do you know what open-source software is being used in the organization? Do you know what open-source software your vendors are making use of/contributing to?
  • Do you have dedicated staff (or, at least, staff) tracking vulnerabilities in upstream repositories?
  • Do you have a framework in place for assessing the impact of a security vulnerability?
  • Do you have a framework in place to address vulnerabilities, making sure any fixes do not adversely affect applications?

3. DevSecOps: Integrate security and compliance early in the application lifecycle—and do it at scale

As organizations move more of their workloads to the cloud, security depends more on a DevSecOps model. For most companies, this means evolving from doing everything manually, with siloed teams, to code- and API-based everything.

The DevSecOps evolution requires not only a shift in technology, but also a change in culture. This is no small feat, for sure, but by taking full advantage of DevSecOps, organizations can fully integrate security into the application lifecycle.

At the advanced stage of DevSecOps, cloud technologies such as containers and Kubernetes can be considered security enablers, helping organizations improve processes such as configuration management, patch management, compliance, and governance, and even enable and improve cross-collaboration between different teams.

4. Educate and equip staff with the tools they need 

While automation and policy-driven processes are key to security, people are still the make-or-break factor when it comes to protection. It’s up to organizations to ensure that their employees and partners are continually educated and equipped with the tools they will need to make sound decisions. Approaches that companies can take include:

  • Implement formal (and ongoing) security education and certification programs.
  • Establish security roles in app dev and vice versa.
  • Establish a culture of cross-training and cross-collaboration. For example,  include both your security and compliance teams early in your cloud journey.
  • Be strategic in hiring.
  • Take a hard look at security tooling and resources.
  • Implement a consistent automation strategy across the organization.

Software is the business

Every company is now a software company, which means software security is now a business enabler. With a layered approach to security that includes solid, purposeful plans for data security, software supply chain security, cloud and containers security and management, compliance and governance, and people and processes, organizations can leverage security for business advantage.

You can learn more about this topic by watching my recent talk, "Tackling security in the world of containers, hybrid cloud, and DevSecOps," from Red Hat’s Security Symposium in July

Keep learning

Read more articles about: SecurityInformation Security