Cloud Security for novices (who are no dummies)
By Shakti Ashirvad
HP Cloud Security Advocate
Often “security” is a discussion done behind closed doors. It is an enigma, portrayed with images of dimly lit rooms where faceless hackers stare at monitors, scrolling gibberish. But Hollywood got it all wrong! The reality of Cloud Security is far less enigmatic than such portrayals.
I recently took a role of "Cloud Security advocate" for HP's Device-as-a-Service (Daas) team. Preparing a team to be interested in security is a daunting task, especially when the team’s focus is on delivering software. In this post -- the first in a series -- I will share how to identify your team’s security need and how to prepare your team for engagement.
Chapter 1: Prep your team
Here are some simple steps that will help you get your team engaged in Cloud Security.
Training and Subject matter expertise
Create an awareness and urgency around security with the whole team. Let everyone share the burden. No amount of advanced tools, process and compliance certification can replace an architect or developer who understands and focuses on security.
Empower and educate your team to take the security of your product seriously.
Plan dedicated trainings and workshops for the team around Cyber security. At least once for every newcomer and once a year for developers and architects.
Schedule regular tech talks, and ask all team members to contribute.
Point out the tons of trainings available online at YouTube, KhanAcademy and Coursera. Much of it is free.
Software Development Life Cycle – Make it part of your process
You must tweak your development process to include key security goals like arch reviews, code reviews, penetration or security testing etc.
Assign a security and privacy advocate who leads by example.
Align your release process to include at least one security architecture review and one security code review done outside the scrum team who writes the code.
Implement automated code scanning utilities in your build pipeline. Religiously fix all critical and high priority issues.
Do a mandatory pen-testing for all critical features that expose external interfaces.
Keep the process lightweight. Otherwise people will find excuse to not do it.
Operations and Deployment Process
Operations is a key block and major contributor for security breaches. Most of the information security process like ISO27001 deals with controls around operations. It is important to keep the roles and access of DevOps team different than developers. Also keep developer environment different than production. Keep the production environment isolated and only authorized to very few people from the operations team.
Access permissions to the production system must be reviewed regularly.
Create a playbook for all important operations.
Have a disaster recovery strategy – Well documented.
Have a security incident playbook – When you detect a breach, you need clear instructions to follow.
It is not mandatory to have any of these compliances. However, achieving one of these ISO compliances mandates that the team seriously introspect the risk areas within a project and take mitigation steps. For example, ISO27001 mandates documentation of assets, and designation of owners so they can be reached in case of a disaster. It is a simple yet effective guideline.
It is always recommended to go for one of these. They can catch some serious shortcomings in the product security.
Once the team has the process and knowledge, it can select a set of tools and focus on certain areas to achieve its goal. We will cover both these topics in our next Chapter.