One of the positive by-products of moving computing to the cloud is that enterprises can take advantage of the massive investments that cloud providers have made. However, working in the cloud also creates new challenges and opportunities for managing security and compliance risks.
In this survey, SANs authors Jim Bird and Eric Johnson explore how organizations extend their security controls beyond their on-prem environments into the public cloud to secure their cloud networks, services, and applications. This enables organizations to take advantage of the cloud platform’s capabilities and available cloud-based third-party services to reduce security risks and costs and simplify their security and compliance programs. However, this is not a simple lift-and-shift exercise. Organizations must take responsibility for architecting a secure solution, understanding and correctly using the capabilities that cloud providers offer, and identifying and filling in any gaps.
The Survey’s Key Findings
While the survey covered many topics, the authors highlighted the following key findings:
- While on-prem application hosting is still the most common means for delivery, cloud-hosted platforms are gaining traction. Yet many security professionals (36%) spend less than 25% of their time building a “paved road” for the cloud provider platforms.
- Most organizations, especially large enterprises, need to work with multiple cloud platform providers, which means that they need to understand and manage a larger range of security and compliance risks. The majority of organizations (92%) use at least one public cloud provider, and the average organization has workloads running in 2.33 public cloud providers.
- Agile and DevOps methods are enabling developers to deliver features and changes faster and more cost-effectively. The velocity of feature delivery has increased by 14% over the past four years, but the speed of security assessments is not keeping up. Only half of the organizations are taking advantage of automated testing, and 27% are not doing any security testing.
- Most organizations are struggling to shift security left. Only 40% include security assessments early in planning and design, where important decisions are made about architecture approach, development tooling, and technology platforms—and where mistakes or misunderstandings can be dangerous and expensive.
Is Security Keeping Up with the Velocity of Change?
The faster engineering and development teams deliver changes, the quicker security teams need to identify and assess risks. By comparing the rate of delivery to the velocity of security testing, it turns out that most organizations are unable to keep up with the pace of delivery. The survey found:
- Although a small number of practice leaders are delivering and testing continuously, in all other cases the frequency of security testing significantly trails delivery.
- A significant number (39%) of organizations are still relying on point-in-time or ad hoc security testing, which leaves them without a clear picture of the security risk or the ability to manage these risks.
- What is more concerning is that 27% of organizations do not perform security assessments at all.
Most organizations need to make fundamental changes to make secure DevOps a reality. There are two approaches that DevSecOps teams can follow:
- Shift left—Initiate change from the bottom up, building on technical disciplines and practices, especially automation. Foundational technical practices—such as automated build and delivery pipelines (CI/CD), test automation (test-driven development [TDD], behavior-driven development [BDD]), pair programming and pull request reviews, and configuring infrastructure in code—all enable DevOps teams to move faster and deliver working software.
- Shift right—Offload operational, security, and compliance risks and obligations onto the cloud provider or their pre-integrated ecosystem of third-party security and compliance tools. This approach takes advantage of the cloud provider’s scale, resources, and agility to solve problems and compensate for the organization’s weaknesses. This frees up scarce security and development resources to focus on important priorities and risks.