Securing the Cloud and the Case for Shift Left Security

Enterprises are diving headfirst into the cloud as they seek to leverage its inherent scalability, flexibility, and breadth of features to roll out new capabilities and services faster than before. But moving to the cloud does not absolve organizations of their cybersecurity role, observes Siddharth Deshpande, field chief technology officer at Palo Alto Networks.

While there is no question that the cloud paradigm offers increased efficiency and new opportunities for innovation, it also throws up unique security challenges for IT leaders and CISOs. For example, can the old systems and methods cope with the radically different cloud environment, and who exactly is responsible for securing the cloud?

The new face of cloud security

“A good cloud security posture is about understanding the shared responsibility model,” explained Deshpande. He noted that responsibilities differ depending on whether the organization was adopting a Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), or Platform-as-a-Service (PaaS) strategy to their cloud adoption. In some cases, the potential attack surface that organizations must now secure could be larger than expected.

“Most organizations thinking of cloud security are referring to their IaaS and PaaS environments. In that context, everything above the infrastructure layer, which is the application, deployment, configuration, including virtual machines or containers, is the customer's responsibility,” said Deshpande.

He ticked off examples: “If you have an application in the cloud with an open API exposed to the public Internet, securing the API is your responsibility as a customer. If you’re deploying a containerized cloud-native application developed using a microservice architecture, then the security of your application both during the build and deploy phases is your responsibility.”

As businesses move away from traditional bare-metal server deployments and virtual machines to fully harness the advantages of the cloud, these new areas must be secured, too. For example, as organizations turn to declarative infrastructure, care must be taken to address the possibility of misconfiguration stemming from mistakes in the infrastructure as code and amplified in the cloud.

“Let’s say you make one small error in the configuration template for an S3 cloud storage bucket. If you have fifty S3 buckets, for example, then your error is multiplied fifty times,” said Deshpande. The solution, he added, lies with addressing security at the earliest possible point in the development process, rather than as an afterthought or as the final step.

Adopting shift left security

“That's where we start talking about the concept of ‘shift left’ security, which is bringing security to these infrastructures, code tools, and infrastructure code templates before the deploy phase. If you can scan your infrastructure as code templates for configuration errors for security flaws, and if you can catch them earlier on in the cycle, then you can improve your security posture consistently,” said Deshpande.

According to him, Palo Alto Networks has seen significant interest from developers, operations teams, and the DevOps community in shift left security.

“It's the entire spectrum of people that are responsible for developing and deploying an application in the public cloud. Developers have a vested interest in exploring this because the security team will often come in after the applications have already been built or deployed with recommendations to protect potential vulnerabilities. Now, with what Gartner calls CNAPP (Cloud Native Application Protection Platforms), developers can access security recommendations from tools that integrate into their version control systems, repositories, and CI/CD pipeline software. This is a win for both developers and security teams,” he added.

So how can organizations position themselves for success with shift left security? The first thing would be to get started quickly, says Deshpande, by implementing the methodology on one project first. “Try to start with a test case and implement something interesting in that project first. Start with initial cases that may not span your entire organization right at the beginning. Then [evaluate] the responses of your team because every organization's context is different. Use the availability of tools that let you shift left and spark a conversation.”

Security is a team effort

Ultimately, successful organizations treat cloud security as a team effort that involves cross-functional internal teams and strong partnerships with security specialists and cloud providers. “I think it is a team sport because the security team has to be an enabler and a facilitator of secure outcomes for the organization. At the same time, developers are tasked with building and rolling out capabilities quickly. It is about arriving at a common vision of security and getting there.”

Does it mean that security teams are less relevant today? Hardly, says Deshpande. “The security team has overall visibility of the threat landscape, which includes things that developers may not be responsible for, such as permissions, network security configurations, data security, and overall governance. They need to take this telemetry, feed it into the Security Operations Centre and get the ability to respond to incidents as they happen.”

However, Deshpande notes that security teams also need to “disaggregate” some of these security capabilities and plug them into developer tools as part of the shift left paradigm. “The idea is to show them that there is good information that is given to them as they are building the application and committing code,” he summed up.

Paul Mah is the editor of DSAITrends. A former system administrator, programmer, and IT lecturer, he enjoys writing both code and prose. You can reach him at [email protected].​

Image credit: iStockphoto/KanawatTH