As agencies bring more agility to services development and delivery, they risk increasing vulnerability if they don’t also take a more agile approach to security.
Doubtless, agencies can benefit from combining cloud-native technologies like containerization and microservices with a DevOps methodology to accelerate application delivery by improving collaboration between the development and operations teams.
But that combination creates a constantly shifting IT environment, making it difficult to apply traditional approaches to security and compliance.
To learn how agencies can adapt, GovLoop spoke with cyber experts at Palo Alto Networks, which offers a cloud-native security platform called Prisma Cloud. They recommended three steps.
Shift as Far Left as Possible
Security must be integrated with development. That is, it needs to be addressed in the earliest development stages, not just as a final check before deployment. Moreover, in modern cloud environments, organizations must shift as far left as possible to keep up with the pace of innovation.
“You need to apply security evenly across the entire software development lifecycle: build, deploy and run,” said Matt Chiodi, Chief Security Officer, Public Cloud at Palo Alto Networks.
Agencies must monitor the entire development pipeline to ensure it remains compliant with their security policies, even as applications and services evolve.
The task of monitoring the pipeline grows more challenging as DevOps accelerates the pace of development and cloud native increases the complexity of the environment.
Traditionally, developers worked months or even years on building a monolithic application. Now they break such applications into countless microservices, creating a greater attack surface for the security team to defend.
“The only way security can keep up with that pace is through automation,” Chiodi said.
Automation can be used for everything from monitoring server and endpoint posture to detecting, assessing and responding to threats.
Move to Continuous ATO
Automation also paves the way to change how agencies approve IT systems for use. In a standard Authority to Operate (ATO) process, a system owner must implement, certify and maintain required security controls. The problem is that certification is based on a snapshot in time, whereas in modern cloud environments, change is constant. Systems can “drift” from compliance over time as new threats arise.
Modern cloud solutions offer architectures leveraging containers that perform discrete tasks within a microservice environment and are in constant flux with application updates, vulnerabilities/threats, policies, etc. “The challenge for any organization implementing microservices is the ability to monitor, identify and address issues in a timeframe that has the least amount of risk exposure,” said Paul Fox, Senior Product Manager at Palo Alto Networks.
Prisma Cloud enables agencies to utilize their existing staff to secure, monitor and protect multiple cloud service provider services without mastering multiple security tools. It has reduced alert volume and configuration errors for many organizations, allowing IT and security operations to spend their time more productively. With support for every major compliance framework, Prisma Cloud enables IT to monitor compliance posture and generate audit-ready reports with a single click.
“Your security workforce needs visibility into your full cloud environment, with the ability to enforce compliance with security controls and policies, and we do that across multiple cloud service providers,” said Fox.
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.