Moving IT Workloads to the Cloud changes Security strategies
The SANS Institute, the world’s leading provider of cyber security training and certification, presents the results of the Rethinking the Sec survey in DevSecOps: Security as Code in the study of the same name by SANS instructors Jim Bird and Eric Johnson. With the shift of IT workloads to the cloud, how companies develop and deploy systems-and how IT security must be implemented – is changing. The report provides answers to the questions of what this change means for the modern company and its security program.
“IT security becomes security engineering at DevSecOps. This means nothing less than writing security and compliance policies in code. Application code and service configurations must be checked, scanned and tested. Leaders need to develop an understanding of how application development and systems engineering teams work and help them find and implement tools to integrate security testing directly into development. Security as Code therefore requires new skills and new ways of thinking and working: more collaborative and transparent, faster and more iterative. It requires relying on automation to solve common problems and reduce costs and risks,“ Bird and Johnson summarize the initial situation.
Some important results of the SANS report:
- More than half (57%) of companies use three or more cloud platforms. Each cloud platform is unique: the configuration models differ, as do the APIs and services. Therefore, the operational and security risks also differ, which makes it difficult to understand and manage them. Cloud agnostic tools are increasingly helping to reduce costs and risks.
- Basic software development practices such as CI / CD and test automation are key to deployment speed and continuous security testing. If development teams do not automate their build/test work, it becomes more difficult for them to implement automated security testing. While 66 percent of companies currently automate builds, only half of companies (52 %) follow the CI and take advantage of automated testing.
- Development teams are getting faster and faster, but the attackers are also getting faster. Only half of companies (51 %) patch or fix critical security vulnerabilities and other critical security risks within a week of identifying those risks. Organizations must leverage DevOps and agile practices, as well as automated build chains and automated testing, to deploy patches faster and more reliably.