A cloud infrastructure delivers many benefits, but it also expands an organization’s attack surface and introduces a wide range of potential vulnerabilities, especially with the growing prevalence of mobile and IoT devices.
Cloud is not just another platform, but one that ultimately can transform how agencies think about the development and delivery of IT services. Cloud increasingly goes hand in hand with Agile software development and DevOps practices. The latter combines software development and IT operations practices, which shortens system deployment and provides continuous delivery with high software quality.
This growing complexity has good intentions, but it can also leave agencies struggling to adapt their existing cybersecurity strategies.
Increasing complexity is all the more challenging because agencies at all levels of government remain a favorite target of malicious actors. Incidents such as the 2015 hack of the federal Office of Personnel Management, which resulted in the loss of more than 21 million records, have garnered much attention, but state and municipal governments have often been in the crosshairs as well. A list of the largest government cyberattacks in recent years, for instance, includes California’s and Georgia’s secretaries of state, Los Angeles County, and Washington’s Department of Fish and Wildlife. State and local governments also were the victims of almost two-thirds of all ransomware attacks, according to a 2019 study by Barracuda Networks.
Unfortunately, cloud implementations can introduce problems if not done properly. Poorly secured and configured cloud databases were a major contributor to security breaches in 2019, with poor configuration alone behind the loss of more than 70 million leaked or stolen records, according to Symantec’s 2019 Internet Security Threat Report.
The bottom line is that today’s cloud-based networks have created an environment far removed from traditional on-premises computing. A new approach that starts with secure code is needed.
The Solution: Bake Security Into Code
The best approach to cloud security is not based in the cloud, but in the concept of Security as Code.
Security as Code creates a foundation for DevSecOps, which brings security into the Agile development process at the ground floor. It incorporates security as a fundamental component of development tools and workflows. DevSecOps also uses a similar approach to collaboration through constant testing and continuous delivery.
This process shortens the feedback loop, accelerating the speed with which developers can respond to stakeholder requirements with new releases – often several times daily, as opposed to once weekly or even a few times each year, as with traditional methods.
Security as Code adds security “from the first word of design,” said Matt Jordan, Vice President of JHC Technology. And because it’s delivered through an automated build, test and deploy process, it’s consistent in all of its implementations.
Security as Code also reflects how the cloud works, with agencies relying on automated processes. “Developers need to code and deploy workloads using test-driven security,” JHC Technology Evangelist Michael Bryant added. “Security is part of code quality.”
The result is a more comprehensive, flexible cybersecurity that’s woven into the software – and the IT infrastructure – from the get-go, with source code analysis and validation performed continuously. And infrastructure is deployed as code, making it auto-scaling, self-healing and trending toward 100% uptime.
Having security that’s “baked in” rather than bolted on afterward has been a mantra of IT officials in government and every other sector for years, but the realities have lagged behind the ideals. Security as Code puts those ideals into practice. It’s automated, repeatable, highly scalable and portable from the start.
This article is an excerpt from GovLoop’s recent report, “The Dawn of Security as Code.” Download the full report here.