Facing the security conundrum Shift-left. A true story
There was a time when developers and security teams didn’t get along, uh. Friction reigned as everyone struggled to meet their own needs. Security teams were notified of data breaches, DevOps were notified of development slowdowns and access denials due to reduced privileges.
The dark days are over – everyone understands now: security IS business. High profile offenses such as Capital one, the US Presidential Executive Order on National Cybersecurity and Emerging Technologies puts stakeholders on the same page where organizations understand that prioritizing security is critical to reducing their cloud attack surface. Developers want to cooperate and integrate fine-grained access control into their security practices. Shift left security is all the rage, and even has its own culture of tech communities, conferences, buzzwords, and personalities.
That is, left shift is hot…until it isn’t. Dynamic and cloud business requirements complexity make managing least privilege – whether you’re on the security side or the development/operations side of the house – a huge challenge.
Security and DevOps: still at odds
Developers want extended privileges to perform actions needed by the service or application being developed. From a security perspective, full administrator privileges are excessive – security weaknesses known to lead to data breaches – should therefore be reduced.
In a well-known scenario playing out in organizations around the world, the security team sends a developer seeking extended privileges back to their office to manually determine – and justify – the permissions they really need. The cloud’s promise of agile working gives way to an endless ping-pong – the well-known friction – in which security and developers negotiate access.
For developers and Dev/Ops, deep in the trenches, a big part of the problem is the ability to understand what rights they legitimately need. Ultimately, development work is slowed down by security requirements that are best practices on paper but difficult to implement in real life.
“Shift Left Security” Methodology – Fact or Fiction?
Shifting security to the left means integrating security earlier in the development process so that developers don’t find themselves faced with security teams demanding that they refactor their code just when they’re ready to go into production.
What does moving left mean for the developer? Here are some elements of left shift practice:
- Integrate least privilege into the infrastructure as code – Configuring policies and adding automated safeguards in the cloud by DevOps as part of their ongoing, daily work to protect infrastructure and prevent excessive permissions on cloud workloads.
- Managing RBAC on Kubernetes – Configuring RBAC on Kubernetes to enforce the least-privilege model on Kubernetes clusters, to avoid excessive permissions and enable only required permissions.
- Enforce least privilege policies on CI/CD pipelines – Remove developer admin credentials from CI/CD workstations and adopt adaptive permissions, to prevent widespread exposure or breaches through CI/CD pipelines.
As a developer or DevOps professional, these actions can chain you. They seem to tip the scales towards security at the expense of fast and agile development. Indeed, many of these security requirements are not accompanied by automated tools that fit easily into the software development cycle and are part of everyday work.
Other actions, such as security teams evaluating OSS libraries or requiring risk assessment for new features, are high maintenance and against performance SLAs, which is what you’re really measured on as a as developer rather than security efforts to prevent a data breach.
With so many tasks and pressures from engineering, support, product, customer success, and marketing management, what should a developer do?
Crossing the Chasm: DevSecOps
Decisions about which security practices the development should implement should not necessarily rest with the developer. An organizational solution exists: the role of DevSecOps. We will explore this role in more detail in a future article. For now, suffice it to say that DevSecOps professionals are responsible for bringing the right security processes to developers in an easy-to-apply way and with a focus on the business value of security. requirement.
DevSecOps is the closest thing an organizational fix is to bringing security into the development sphere and helping organizations move left. Even so, it’s not a silver bullet and it’s hard work. DevSecOps professionals always rely on each other to share information, be on the same page about what’s most important over noise, and figure out who’s doing what to solve problems. And not all organizations are able to dedicate security roles within their dev/ops team.
At a time when safety requires special attention, there are several steps that can be taken to make the turn left turn happen.
What it takes to perform the shift to the left.
Whether or not your organization consciously prioritizes security and has allocated adequate cloud security resources, it’s time to recognize that security activities and management take the time of your development teams.
With least privilege and zero trust security best practices widely recognized as the only way to effectively secure the cloud environment, and compliance a regulatory requirement, organizations must choose one of two paths:
An endless struggle – Let the developers carry on the daily negotiations with security, wasting their time and venting their frustration with the water cooler. Or:
Left shift – Make a conscious choice to move security to the left, adding DevSecOps roles if possible, but even if not: introduce tools that will streamline, automate, and remove friction from security processes, and educate developers/ops on the insights they can gain from automated security tools.
What does it mean? In short, shifting to the left involves three key dimensions:
- A change of mentality – Understand that security is not an afterthought but an essential part of day-to-day development. Security does not take away from development time. Rather, it is an essential part of development time. Leaders need to be confident that their DevOps are doing the right thing when working on security.
- The right tools – Find security platforms that help developers close real performance-related security holes and make it easier to implement and integrate security. Such tools can help bring together the different objectives of CISOs (security) and DevOps teams. CISOs can use them to gain visibility and better control of how infrastructure looks and what DevOps does. DevOps teams can use them to gain insights previously unavailable to them, learning from tool results and severity risks. sprints. They can, for example, integrate access policy recommendations generated with Slack, Jira, ServiceNow or Terraform to automatically grant and revoke rights.
In short, the right tools can help break down the organizational silos that de facto prevent the will to turn to the left when it comes to security.
- The right training – Conduct repeatable training with development teams on security, while automating and integrating training processes into cloud infrastructure processes. Training is essential for achieve greater cloud security maturity and a key part of any cloud security strategy.
Left shift is not a luxury
The lesser privilege motivated by the shift to the left is not a luxury, it is a necessity. Cyber threats are increasing and costing more.
In its 2022 report [IBM Cost of a Data Breach Report, 2022], IBM found that 83% of organizations had more than one data breach – and 45% of breaches were cloud-based. They also found that the average cost of a data breach was $4.35 million, up 13% over the past two years.
Verizon, in its annual data breach investigation report [Verizon DBIR, 2022]reported that “82% of breaches involved the human element” – whether it was stolen credentials, phishing, misuse, or just plain error.
Organizations need to break least privilege. And yet, IBM reported that 79% of critical infrastructure organizations (finance, healthcare, and other)—and 59% of all industries—don’t even deploy a Zero Trust architecture.
The Bottom Line: Can We Really Shift Left?
The right tools, combined with a strategic approach to cloud security maturity across tools, people, and processes, are the answer to the “left shift” conundrum and end the vicious circle of friction development-security. A comprehensive cloud security platform to support all security stakeholders – DevOps, DevSecOps, IAM, and security – can help eliminate organizational friction and finally allow DevOps and security to work together.
The post office Facing the security conundrum Shift-left. A true story appeared first on Hermetic.
*** This is a syndicated blog from the Security Bloggers Network of Hermetic written by the Ermetic team. Read the original post at: https://ermetic.com/blog/cloud/facing-the-shift-left-security-conundrum-a-true-story/