The growing complexity of cloud computing has good intentions, but it can also leave agencies struggling to adapt their existing cybersecurity strategies.
Cloud computing – coupled with advances in mobile computing and the Internet of Things (IoT) – has allowed organizations to greatly extend their networks’ reach while adding speed, efficiency and access to data from multiple sources. But hackers have also reaped many of the same advantages. Attacks now come from more directions faster than ever, leaving agencies with less time to identify, analyze and react to them.
To keep their data, applications and operations protected, agencies need to execute their security procedures in as close to real time as possible. And that ability requires software that’s built from the ground up for the job. This is known as Security as Code.
1. Develop a Cloud Policy.
It all starts with a good plan. Agencies need a cloud policy that covers steps from acquisition to implementation, and addresses the three models of cloud computing: Infrastructure-, Platform- and Software-as-a-Service. Security is an essential component of a good policy; Security as Code builds it into the foundation.
2. Adopt a Governance Framework.
In the realm of cloud and Agile development, a good plan means strong governance. Governance establishes a framework covering the people, practices and technology standards at each step along the way to an agency’s goals. The collaboration, constant testing and other elements of DevSecOps put many cooks in the kitchen; a strong governance plan, with secure code at the core, establishes procedures that ensure that the process does not become too convoluted.
3. Establish a Cloud Center of Excellence.
As part of the governance plan, agencies should establish a Cloud Center of Excellence (CCoE), a cross-functional team that centralizes and coordinates cloud strategy. CCoEs set repeatable policies, reference architectures, frameworks and procedures for development teams to follow. They also can establish contracts with easy-to-use base frameworks. Agencies can order from those contracts according to their business needs.
4. Find an Experienced Industry Partner.
Cloud transitions can be complex, and no agency has the necessary expertise in every area. Agencies should look for partners with experience in making the transition and ask about specifics, such as a potential partner’s familiarity with the tools and technologies that will be used. The ability to implement Security as Code should be included in the criteria. An agency should ensure its cloud and security vendor is among the top tiers of partnership within the chosen CSP, helping to ensure that the partner has the requisite experience, familiarity, past performance, and relationships to carry projects forward.
This blog post is an excerpt from our new report, The Dawn of Security as Code, download it here to learn how agencies can take advantage of agile development to deploy new software faster.