shifting left on cloud security to develop and deploy...

Josh Stella- Co-founder & CTO of Fugue

Shifting Left on Cloud Security

to Develop and Deploy Faster

What is Shift Left?

Shift Left is an approach to software testing

in which testing is performed earlier in the

software development lifecycle (SDLC).

Today, we’re applying Shift Left to

cloud infrastructure security.

The software development lifecycle

Requirements Design Develop Test Deploy Review

Why Shift Left on security and compliance?

Change here

is easier, faster, and less

expensive

Change here is more

difficult, takes longer, and

is more expensive.

Requirements Design Develop Test Deploy Review

A simplified representation of the SDLC

Develop Test Deploy Monitor

Current: security and compliance happens late


Security and compliance

checks usually happen

over here



…as a gating function

Approvals

Certifications

Authority to Operate (ATO)



…as a reactionary function

Monitoring

Remediating

Reporting

Auditing



Monitoring

Remediating

Reporting

Auditing

The feedback loop back to developers is poor.

Approvals

Certifications

Authority to Operate (ATO)

Competing priorities pit teams against each

other


Security Teams need to

ensure that sensitive data and

systems are secure.

Compliance Teams need to

ensure IT environments

adhere to policy

Developers and Op Teams (DevOps) need to move fast,

deploy frequently,

and innovate

Goal: integrate policy checks earlier in the SDLC


• Save time

• Save money

• Move faster

• Be more secure and compliant

Goal: integrate policy checks earlier in the SDLC


Establish trust and collaboration between teams

Shift Left doesn’t mean…


Shifting security

and compliance

from here



Shifting security

and compliance

from here… …to here



Security and compliance teams

should move the gates to the left

We still need to do what we’ve been doing


Monitoring Remediating

Reporting Auditing

Approvals Certifications

ATO

But we can empower developers to validate their work


Monitoring

Remediating

Reporting

Auditing

Approvals

Certifications

ATO

Unit Tests

Developer Tools

But we can empower developers to validate their work


Monitoring

Remediating

Reporting

Auditing

Approvals

Certifications

ATO

Integration Tests

Unit Tests

Developer Tools

Validation reinforces security and compliance


Monitoring Remediating

Reporting Auditing

Approvals Certifications

ATO

Integration Tests

Unit Tests

Developer Tools

Automation

What is security and compliance?

An agreed set of truths as to what’s allowed

and what is safe.

Typically expressed in English, in docs,

or worse, verbally.

What is security and compliance?

Without a single source of truth,

you have multiple interpretations of truth,

and multiple sources of distrust.

And you can’t Shift Left.

Shift Left must live in the developer’s context

Tools that work with developers’ toolchains

Automation tools for checking their work

Policy-as-Code validation

The shared-responsibility model of the cloud

The customer is responsible for the

security on the cloud – including the configuration

of the cloud services!

The Cloud Service Provider is responsible

for the security of the cloud

Data

Application

Runtime

O/S

Cloud Config

Virtualization

Servers

Storage

Networking

Shift Left typically ignores cloud infrastructure

Cloud infrastructure configuration

is often neglected.

This is our focus.

Data

Application

Runtime

O/S

Cloud Config

Virtualization

Servers

Storage

Networking

“

Cloud misconfiguration: a big security risk

The complexities of

cloud computing, and the

chance of human error,

will bite you in the butt.

⎯ David Linthicum, InfoWorld | OCT 5, 2018

93% CONCERNED FOR MAJOR SECURITY BREACH

DUE TO MISCONFIGURATION

“

Cloud risks are very real

The cloud creates new security challenges

API-driven

infrastructure

Highly dynamic, on-demand

environments. Developers are making

infrastructure decisions

Challenges

at Scale

Is everything in compliance?

Can we maintain compliance

while moving fast at scale? New services and

operational

patterns Old security models are broken.

Effectively infinite configuration

options

Common types of cloud infrastructure policy violations

IAM

66% OBJECT STORAGE

ACCESS POLICIES

51% SECURITY

GROUP RULES

59%

ENCRYPTION IN

TRANSIT DISABLED

42%

What’s causing cloud misconfiguration?

HUMAN ERROR

64% LACK OF TEAM AWARENESS

OF SECURITY & POLICIES

54% LACK OF ADEQUATE

CONTROL & OVERSIGHT

49%

HIPPA PCI

NIST 800-53

GDPR, SOC 2, CIS

ISO 27001

• Manual certifications and approvals

• Locking down cloud consoles

• Provisioning guardrails

Typical response: restrict access and innovation

“

Alternate approach: Baselining

Leverage hardened baselines within infrastructure automation

practices, and maintain vetted builds in VCSs for organizational

teams to instantiate from. Audit assets at build time, delivery time

and runtime to account for new dependencies or environment drift.

⎯ Michael Isbitski, Gartner | MAY 9, 2019

“

“

Alternate approach: leverage baselines

Leverage hardened baselines within infrastructure

automation practices, and maintain vetted builds in

[version control systems]… to instantiate from.

Audit assets at build time, delivery time and runtime

to account for new dependencies or environment drift.

⎯ Michael Isbitski, Gartner | MAY 9, 2019

“

• The baseline is a complete picture of a cloud infrastructure environment

and how everything is configured.

• It serves as a contract between Development, Operations, Security, and

Compliance.

• It provides the basis for shifting left on

cloud security and compliance based

on a single source of trust.

Alternate approach: Baselining

Baselining drives Shift Left and cloud security

DevSecOps / Shift Left Cloud Security

ESTABLISH A KNOWN-GOOD BASELINE

• Automate policy-as-code validation to identify

compliance violations early

• Integrate policy checks into CI/CD and

provisioning tools for agility and speed

ENFORCE THE KNOWN-GOOD BASELINE

• Identify unauthorized infrastructure changes

and policy violations

• Automatically revert drift back to the known-

good baseline for critical resources

Unit tests

CLIENT VERSION CONTROL CI/CD

PROVISIONING TOOL

CLOUD ACCOUNTS

</>

Development

QA

Production

Compositions

Validation Libraries

Github Jenkins Job

Fix error in the noncompliant

composition and try again

Validation Failed

Automated Provisioning

Validation Passed

Integration tests

BUILD IN POLICY CONTROLS AT EVERY STAGE OF THE SLDC

Aligning teams, building trust, moving fast


Compliance Teams can automate policy checks earlier in the SLDC

and gain better visibility into the CI/CD pipeline.

Developers and Op Teams (DevOps) can move faster by

identifying and fixing security problems earlier in the SLDC.

Security Teams can protect critical resources and data from a

breach by eliminating misconfiguration prior to deployment.

Where to start?

APPLY A POLICY TO AN EXISTING CLOUD ENVIRONMENT

• Identify violations

• Work with developers

to fix issues

• Use CIS Benchmark

LEARN WHAT YOUR APP DEVELOPERS ARE DOING

• CI/CD tools

• Infrastructure-as-code

• Policy checks

• Security best practices

IDENTIFY CRITICAL CLOUD RESOURCES AND ESTABLISH BASELINES

• Sensitive data

• Access controls/IAM

• Monitor for drift

• Enforce baselines

Questions?

Learn more and get in touch

[email protected]

@joshstella

www.fugue.co

shifting left on cloud security to develop and deploy...

Documents