Growth begets risk. IT security and software development teams know this all too well.
Cloud-native software development, noted for its flexibility and scalability, can create tensions between your IT’s creators and defenders. While development teams can feel held back by security protocols, security teams might be wary of innovative cloud-based projects they feel could increase risk to the organization.
It doesn’t need to be this way. Organizations must ensure these two teams are aligned from the outset of every cloud project to deliver secure applications that support business goals. This is especially critical for all businesses today as the threat of malicious actors continues to reach all-time highs each month.
Here are five ways your organization can approach cloud management with a unified strategy of security and development.
1: Collaborate in the Planning Stage to Define Shared Goals
If your development team is getting ready to build a new application or service, make it a practice to include your security team right from the beginning.
Meet and discuss your objectives and concerns for the cloud application. Here are several questions you may want to address with both teams involved:
• What is the business purpose of this application or service?
• What are the security implications if there were an outage or a breach?
• Is there confidential data involved?
• Where does security need visibility into development and deployment?
Collaboration between these teams minimizes surprises and keeps everyone aligned. This should help reduce the severity of incidents and ensure there are resources to mitigate them.
Once your developers are ready to start the project, make sure both teams keep an open line of communication to work through any concerns that arise on either side. You’d likely rather spend a week shoring up a security threat than explain to a customer or your shareholders why information was leaked.
2: Use the Tools Your Cloud Platform Gives You (Don’t Try to Create Your Own)
When you’re building an application in Amazon Web Services, Microsoft Azure or Google Cloud Platform, there’s no need to reinvent the wheel. In fact, organizations run into trouble when developers try to write their own security layer in major cloud providers’ platforms. While it can be appealing to do things the way you’ve always done them, a DIY approach may come at the cost of your application’s and environment’s security.
Major cloud providers have deep resources and support teams—they’ll have 100 people refining security and performance features for any given app, versus your organization’s 20-person developer team managing dozens of different apps. These providers are constantly monitoring the threat landscape so they can strengthen the infrastructure accordingly.
Adapting to new tools can be frustrating for developers who are used to writing code a certain way, but it’s in the best interest of your development team to trust the tools your provider has given you. These tools have been built to seamlessly integrate with the cloud platform and have security and compliance objectives built in.
3: Leverage Cloud Platforms in Organizations With On-Premises Infrastructure
One advantage of cloud environments is that you only pay for what you use. This may come in handy in a largely “On-Premises” organization when there is a desire to test a new application. You don’t have to wait for developers to build, spec and execute on-premises infrastructure to build a proof of concept.
A cloud platform can provide an efficient and cost-effective solution.
From a business perspective, this means you won’t need to worry about the capital investments in additional infrastructure or servers. This gives security and developer teams more freedom to experiment with new software, assess security issues and refine before deployment.
4: Establish Consistent Test Environments
We consistently remind people to ABT: Always Be Testing. However, this is the first step that organizations tend to skip, or minimize, when a time crunch occurs. Thankfully, the cloud makes testing any new application or service before deployment easy.
Your cloud provider’s infrastructure is built for repeatable environments. AWS’ CodeDeploy, for example, automates software deployments across production environments while maximizing application availability. This gives your developer team visibility into application health with minimal lift—and they can easily roll back the deployment instantly if there are any performance or security issues.
Once again, cloud providers have nimble resources and exposure to a wide range of environments. When testing your application, cloud platforms make a once arduous chore into an easy test.
5: Don’t Be Afraid to Say Goodbye to Your Darlings
The beauty of the cloud is that it allows for ephemeral environments. This is an advantage from a security perspective.
Sometimes your organization may just need a one-off service for a task. In other words, it’s an environment you’ll only use once. You can deploy the application in the cloud, complete the task, then shut it down. Terminating the application keeps security threats to a minimum.
Developers should rethink their emotional attachment to their environments—if it’s no longer serving a business function, there’s no need to let it lie dormant. Doing so creates compounding risk through forgotten assets and unpatched systems. Instead of spending hours figuring out how to patch a security vulnerability or keep an OS up to date, eliminate the application and build a new one for a different task at hand.
Teamwork Makes the Cloud Work
Organizations that successfully build both innovative and well-protected cloud applications understand that developers and security leads are on the same team.
When embarking on a new application, rather than try to advocate for innovation over protection or vice versa, treat both as non-negotiable goals. Your cloud provider has all the resources you need to make both possible.
Bring security into the conversation early and strategize how development can use the tools available. Invest the time to learn them or select a trusted advisor to help. The investment in both are worthwhile.