Cloud Security for novices (who are no dummies)

By Shakti Ashirvad
HP Cloud Security Advocate

Often “security” is a discussion done behind closed doors. It is an enigma, portrayed with images of dimly lit rooms where faceless hackers stare at monitors, scrolling gibberish. But Hollywood got it all wrong! The reality of Cloud Security is far less enigmatic than such portrayals.

I recently took a role of "Cloud Security advocate" for HP's Device-as-a-Service (Daas) team. Preparing a team to be interested in security is a daunting task, especially when the team’s focus is on delivering software. In this post -- the first in a series -- I will share how to identify your team’s security need and how to prepare your team for engagement.


Chapter 1: Prep your team

Here are some simple steps that will help you get your team engaged in Cloud Security.

Training and Subject matter expertise

Create an awareness and urgency around security with the whole team. Let everyone share the burden. No amount of advanced tools, process and compliance certification can replace an architect or developer who understands and focuses on security.

  • Empower and educate your team to take the security of your product seriously.

  • Plan dedicated trainings and workshops for the team around Cyber security. At least once for every newcomer and once a year for developers and architects.

  • Schedule regular tech talks, and ask all team members to contribute.

  • Point out the tons of trainings available online at YouTube, KhanAcademy and Coursera. Much of it is free.


Software Development Life Cycle – Make it part of your process

You must tweak your development process to include key security goals like arch reviews, code reviews, penetration or security testing etc.

  • Assign a security and privacy advocate who leads by example.

  • Align your release process to include at least one security architecture review and one security code review done outside the scrum team who writes the code.

  • Implement automated code scanning utilities in your build pipeline. Religiously fix all critical and high priority issues.

  • Do a mandatory pen-testing for all critical features that expose external interfaces.

  • Keep the process lightweight. Otherwise people will find excuse to not do it.


Operations and Deployment Process

Operations is a key block and major contributor for security breaches. Most of the information security process like ISO27001 deals with controls around operations. It is important to keep the roles and access of DevOps team different than developers. Also keep developer environment different than production. Keep the production environment isolated and only authorized to very few people from the operations team.

  • Access permissions to the production system must be reviewed regularly.

  • Create a playbook for all important operations.

  • Have a disaster recovery strategy – Well documented.

  • Have a security incident playbook – When you detect a breach, you need clear instructions to follow.


Compliance

It is not mandatory to have any of these compliances. However, achieving one of these ISO compliances mandates that the team seriously introspect the risk areas within a project and take mitigation steps. For example, ISO27001 mandates documentation of assets, and designation of owners so they can be reached in case of a disaster. It is a simple yet effective guideline.

It is always recommended to go for one of these. They can catch some serious shortcomings in the product security.

ISO27001 Definition:
https://whatis.techtarget.com/definition/ISO-27001

SOC2 Definition:
https://searchcloudsecurity.techtarget.com/definition/Soc-2-Service-Organization-Control-2

Once the team has the process and knowledge, it can select a set of tools and focus on certain areas to achieve its goal. We will cover both these topics in our next Chapter.


Shakti Ashirvad is a security expert, architect and coder for HP in Houston, Texas. At work he wears the title Engineering Manager - Cloud Software. Shakti came to HP from Samsung Research Americas where he worked in the KNOX R&D Lab on enterprise mobility, BYOD, and Android security for Samsung Mobile Devices. One of his proudest achievements was launching the KNOX Configure and KNOX Mobile Enrollment around the world. Outside of work, Shakti's interests include traveling, reading fiction, and playing Age of Empire.

Author : shakti.ashirvad

Hey Shakti, this is really good information for starting cloud security implementation, please share link for next chapter !!