Last updated on November 5th, 2021 at 9:40am
We recently partnered with NASA Goddard Space Flight Center and EITR Technologies to deliver a webinar with the Cloud Security Alliance. In Shift Left and Shift Down in the Cloud, we covered examples of shifting left and shifting down in the cloud to improve and automate security.
Shift left describes the process and tactics that teams use to move security testing earlier in the development process. But shifting left isn't enough for security in the cloud because it leaves opportunities for automation on the table. And automation matters because it gives you the ability to scale in a cost- and time-effective manner. Shifting down happens when you put in place boundaries around operations in the cloud and then let team members get the work done. In this recap, get the highlights of the webinar, see examples of shift left and shift down, and discover free tools you can start using now.
Table Stakes: Shift-Left Security in the Cloud
As organizations move more workloads to the cloud, security is top of mind. Organizations want to enable teams to use the cloud to drive agility and innovation but have concerns about remaining secure and compliant in the process.
Shift left is a recognized tactic to improve your security posture. The goal is to find and prevent defects early in software development, thereby improving quality and preventing bad surprises later. For many teams, shifting left is the minimum entry requirement for secure cloud operations.
However, surveys continue to highlight that security is a top concern and data like the below from FireMon show that security automation is lacking.
The poll that we ran at the start of the webinar confirms the above data.
Security Automation Webinar Q&A
How would you assess your organization's maturity on automating security efforts in public IaaS cloud environments?
70% of respondents indicated they had some or no security automation.
Shift left remains an important component, but how can you introduce more automation into cloud security to achieve greater value?
What is Shift-Down Security in the Cloud?
We think shift-down security will increasingly become part of how many teams operate in the cloud.
Shift-down security occurs when you establish the boundaries developers can work within without hampering productivity and innovation. One example would be establishing baseline infrastructure for a cloud account vs training your team on this activity. In this example, you provide the boundaries and the baseline and users have autonomy to get the work done - with the assurance that the work to properly set up environments has been taken care of. The result is greater automation and ability to scale to get full value out of your cloud investments.
Our webinar panelists provided their experience on security automation, templatizing security to shift down, and using tools for security automation in the cloud.
Identifying Automation Opportunities
Nicholas Hughes, CEO at our partner EITR Technologies, focused on identifying and implementing automation opportunities to ensure security without labor-intensive efforts. He advocated for everything-as-code, including:
- Infrastructure as Code: to include CloudFormation, Azure Deployment Templates / Blueprints, Terraform, Ansible, Idem, etc.
- Configuration Management
- Security/Compliance as Code
His tips for implementing security automation:
- Create and roll out a templatized approach to security that gives cloud teams autonomy and jumpstarts development.
- Scan what you can pre-deployment.
- Think of guardrails as your friend (and, for bonus points, implement guardrails based on events you visualize).
Shifting Security Down at NASA
Joe Foster, cloud computing program manager at NASA, Goddard Space Flight Center, shared the templatized approach his team has taken to supporting his customers within Goddard. The Goddard Commercial Cloud (GCC) Mission Cloud Platform (MCP) adds management layers to commercial cloud services, giving organizations across NASA the power of the cloud without the added management responsibilities. Joe's team provides a template with building blocks of VPCs, IAM roles, AMIs, and monitoring tools.
His team delivers the following for internal customers:
- Onboarding to help tenants quickly obtain and use cloud services.
- Billing support to monitor charges from cloud service provides and provide a detailed invoice to tenants.
- A secure architecture and management tools to standardize protections, reducing the burden of security for tenants.
- Guidance and support to tenants to help design and build cloud solutions to meet their requirements.
- Common Tools organizations can use for software development, project management, and collaboration. This saves costs through economies of scale, and helps the Agency standardize on a limited set of tools.
- Cost Management tools to monitor costs, alert tenants as they approach budget limits, and prevent tenants from exceeding available funds.
We're proud to count Joe's team as a cloudtamer.io customer.
How to Get Started with Shifting Security
We ran through a list of both cloud service provider (CSP) and open-source solutions to shift left and shift down.
CSPs are heavily invested in helping to give consumers a secure experience in the cloud and they offer a number of security-centered services such as the AWS Key Management Service (KMS), AWS GuardDuty, Amazon Detective, Azure Sentinel, and Google Cloud Security Command Center.
There's also a strong open-source community around security in the cloud. These tools are accessible, free, and easily customizable. Here are a few great examples.
Four Free Tools to Help You Shift
- Cfn-guard is a new open-source command line interface (CLI) that helps enterprises keep their AWS infrastructure and application resources in compliance with their company policy guidelines. Cfn-guard provides compliance administrators with a simple, policy-as-code language to define rules that can check for both required and prohibited resource configurations. It enables developers to validate their CloudFormation templates against those rules. Cfn-guard helps enterprises minimize risks related to overspending on operating costs, security vulnerabilities, legal issues, and more. For example, administrators can create rules to ensure that developers always create encrypted Amazon S3 buckets.
- Parliament, an IAM linter, is another great open-source solution. Here's a great use case for Parliament.
- Cloud networking is hard: how do you audit what security groups are allowing access to? The AWS Security Viz open-source tool builds a graph of your security groups and visually shows access patterns.