Light Dark
May 22, 2015 By Cathal O'Donovan
Richard O'Mahony
3 min read
Cloud Security

By their nature, DevOps and software-as-a-service (SaaS) are circular processes of planning, developing and operating. This process allows us to continually improve our security posture by leveraging the capabilities of our security assets along with the knowledge of our security professionals.

Therefore, it’s important to build security thinking into each of our development phases.

Planning Stage

Threat modeling and risk assessment should occur early in the life cycle. Threat modeling requires engineers to understand what assets they have, how they interact and how they are managed. This allows you to identify, rate and remediate during development. Common questions that must be addressed during this stage include:

  • What data are we collecting?
  • How will we protect the data against internal and external attack?
  • What is the security posture of the environment in which we add our new features?
  • What have we learned from our previous deployment?
  • What are some of the security challenges encountered?

Development Stage

The second stage, development, focuses on the best implementation practices for secure engineering. You’ll have to:

  • Implement the encryption and protection models selected in planning.
  • Integrate automated security scans into development processes and share the results.
  • Engage ethical hacking groups to complete penetration testing.
  • Consider how hackers could use exposed APIs and logging information in the new tools adopted for continuous delivery.
  • Educate technical teams to consider security risk in all aspects of development, including APIs, data protection and more.

Operations Stage

In the third stage, professionals emphasize security monitoring and incident response. You now own the network and the machines in which the new feature works, so it’s essential to guarantee everything is secure. This requires a lot of effort on your part since you must:

  • Review the new data gathered to ensure it is protected in line with controls.
  • Consider how the new features impact your security posture, including what internal and external sources now have access.
  • Verify that the growing inventory of machines are hardened to the latest patch levels and remediated against known vulnerabilities.
  • Understand who has access to what systems and regularly review business needs to adjust this access accordingly.
  • Certify that privileged or high-risk activities are managed at a privileged level.
  • Ensure the workstations operators use are secure.
  • Invest in building capabilities that give a real-time view into system compliance.
  • Feed back vulnerability information to the next product cycle.
  • Conduct regular security scans of your network for vulnerabilities and share the results.
  • Employ constant review of the logging and monitoring of security events.
  • Be open to review the processes in an agile manner as the business needs change.
  • Apply a practical approach to incident management. Important items to consider include establishing segregation of duties, understanding the environment, having runbooks and identifying key log files for root cause analysis. It’s also important to share any incidents with all stakeholders.
  • Be transparent about threats encountered and celebrate those that are successfully defended against.

By continuously securing the new feature, you can identify vulnerabilities early and manage the risk. The effort required to apply security after the fact grows exponentially in a continuous delivery model where code and machines change constantly. By having a robust, secure infrastructure in place, you can help protect the brand.

DevOps Evolves to Meet Security Needs

DevOps and SaaS allow the development community access to what clients are using software for like never before. But now that the data center has moved, security is all our responsibility.

Security posture and DevOps should not be at odds; the success of the company is the end goal for both. In fact, DevOps should enable us to increase our security posture through quick reaction times — and success will be dependent on it.

By embracing automation, building on known secure infrastructure and building in security compliance, developers can continue to deliver as the business needs. DevOps gives us an opportunity to be proactive about security.

This is a maturity curve. We as brands are at various levels, and we need to understand where we are to build a plan that increases our security maturity level. We must invest in the best-of-breed solutions for our services by leveraging and improving our own security assets in this new space.

 |  |  |  | 
Cathal O'Donovan
DevOps Manager, IBM
Richard O'Mahony
Senior Engineer, IBM Security

More from Cloud Security
December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

December 4, 2024

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature