Page 30 - Cyber Defense eMagazine April 2021 Edition
P. 30
ith the advent of Infrastructure-as-Code (IaC),
Wdevelopers are provisioning cloud infrastructure and taking
responsibility for infrastructure changes. This means
developers have full control; owning the entire application stack
along with the infrastructure stack. Essentially, IaC enables
developers to achieve the goals for becoming more autonomous
and agile. A developer can easily spin up a production-like cloud
environment in a matter of minutes, both at scale and in a repeatable
fashion. For many, IaC is a path to self-service IT empowering your
developers to innovate at unprecedented speed.
Cloud Security Breaches Are Costly
While speed is of the essence inarguably, how do you ensure the cloud
environment is secure? Do your developers have enough cloud security
expertise that they are not bypassing certain
security policies?
The 2020 Cost of a Data Breach report by the Ponemon Institute found
that cloud misconfigurations were the most common
causes of malicious breaches among organizations studied.
According to the study, the average cost of a breach due to cloud mis-
configurations was $4.41 million. Incidentally, Gartner also
cited that there is more risk from cloud infrastructure
misconfiguration than from workload compromise. Evidently,
infrastructure security in the cloud is a serious matter; this makes the
decision between speed and governance hard.
Why should you have to compromise speed for security, or vice versa?
Is it possible to find the right balance between governance and speed?
Legacy Approaches to Security Programs Hinder Agile
Delivery
The challenge is that security is often perceived as a drag on the re-
quired speed and agility of deployment. This is because legacy security
programs happen too late in the development cycle. After the infrastruc-
ture is deployed, you tack on security scans at the end of the delivery
process. If security issues are found,
developers inevitably spend significant time and energy to
investigate these security issues causing delay to the launch. The prob-
lem is exacerbated by the fact that these security issues
often turn out to be false positives causing tremendous frustration to the
developers. Uncovering issues that late into the cycle is
expensive to fix, creating unnecessary stress and slowing
delivery. All too often, organizations would end up opting for faster deliv-
ery by delaying security fixes at the expense of security.
30 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.