In the early years of IT, security was often an afterthought. Take email, for instance; since its inception, it has had layers of security patched on like an old but much-loved pair of jeans. Its creators could have barely imagined how integral email would become to our lives or how malicious attackers, spoofing your email address, would try to defraud you!
Over the years, attackers have become more and more sophisticated, culminating in the Solar Winds attack at the end of last year and, more recently, the global Microsoft Exchange Server hack which put over a hundred thousand businesses at risk.
There is no doubt that cloud technologies are hugely powerful, but their distributed nature makes them complex and difficult to secure. As a result, automation becomes the only serious way to manage cloud. Today this is achieved with Infrastructure-as-Code (IaC), but this introduces yet another vector for security threats — misconfiguration.
According to IDC research commissioned by Ermetic, 8 in 10 companies across the United States have experienced a data breach related to misconfiguration of their cloud systems. Of the 300 CISOs that participated in the survey, security misconfiguration was the top concern associated with cloud production environments.
Moving away from a traditional, centralised datacentre model to a highly scalable, global and distributed cloud approach requires us to re-draw the security battle lines and build defence-in-depth.
Defence-in-Depth Starts by Shifting-Left
Historically, dedicated security teams would review infrastructure designs to ensure they met the security compliance standards of the organisation and provide recommendations and amendments to the architecture and development team.
This process is often time-consuming and doesn’t move at the speed of the cloud, slowing teams down and increasing the cost of the project. The other problem is that cloud systems have become increasingly complex.
With multiple teams working on different parts of a globally distributed infrastructure and the introduction of ephemeral systems, traditional security tools and processes are no longer fit for purpose.
To solve these problems, the security industry has begun advocating for a shift-left approach. The process of moving security and compliance checks to the very beginning of the cloud design and deployment workflow, baking in security from the very start.
Patching IaC — Code Scanners
IaC promised to be a panacea for the complexity of cloud management by applying all the advantages of software engineering — versioning, code reuse, collaboration and automation. The reality is that it has only raised the technical barrier to entry.
Engineers now need coding skills to manage and deploy complex cloud infrastructures. This step-up in technical expertise also increased the likelihood of security misconfiguration being baked into code templates.
To solve the security problem, IaC scanners emerged. These scanners can be used at the command line or integrated into CI/CD processes to ensure that code templates are scanned for issues before they are deployed, shifting security left of the workflow and helping keep your infrastructure safe.
Whilst code scanners can flag security issues with IaC, engineers still need the technical expertise to write IaC in the first place, making the adoption of shift-left security much more difficult.
Draw Don’t Code — Cloud Maker Overwatch
Enter Diagram Driven Infrastructure, or DDI. Now there is a new, much easier way to automate the design, security validation and deployment of cloud systems without wrestling with IaC.
Instead of working directly with code templates, which are hard to write and become challenging to maintain, DDI allows the cloud infrastructure to be modelled visually. This gives engineers a detailed view of all pieces of a cloud environment in a single pane of glass. DDI makes shifting the security of your infrastructure left as easy as drawing a diagram.
Cloud Maker, with its visual Overwatch security scanner, means cloud diagrams can be scanned in real-time as you draw, visualising security issues across the whole system and then providing guidance on the best way to fix them.
Overwatch takes the latest security guidance from the likes of Microsoft and CISA and turns these into security definitions, which are applied to your Cloud Maker diagram as you draw and configure.
Cloud Maker and Overwatch are part of a new generation of automation technologies that takes all the lessons learnt from IaC and shift-left security and bakes them into a next-generation interface to the cloud.
Azure Sentinel — Protecting Your Right Flank
While Cloud Maker Overwatch makes taking a shift-left approach easy, it’s still critical to maintain real-time security scanning of live environments to monitor for rapidly emerging threats.
This is where Security Information and Event Management (SIEM) comes in. Historically SIEM involved dumping security logs into a data warehouse and querying this data to look for attack-related events.
However, with the sheer volume of data created by modern, highly complex cloud systems, the only feasible way to monitor, detect and intervene today is with machine learning.
One such machine learning-based SIEM platform is Azure Sentinel that provides real-time scanning and automated mitigation of security issues. Underpinned by the vast horsepower of Microsoft Azure and Microsoft’s leading AI expertise, Sentinel can process almost limitless volumes of security data in real-time.
Cloud Maker combined with Azure Sentinel is a powerful capability that not only lets you shift left but ensures you continue to protect your right flank.
The Path to DevSecOps
DDI unlocks the ability to manage complex cloud systems. It also enables the ability to shift security left easily. In today’s world, cloud systems can be drawn as a diagram and configured visually. Automated security checks like those provided by Cloud Maker Overwatch can then ensure that security issues are detected and resolved before they have a chance of being deployed.
When shift-left security is combined with real-time scanners like Azure Sentinel, you have multi-layered threat detection over the entire life cycle of the system, leading to threats being mitigated as early as possible and vastly reducing the chances of a breach occurring. This process of continuous development, security monitoring and operations has become known as DevSecOps and is the next frontier of cloud automation and security.
If you’re building systems in the cloud today, your best option is to prepare for battle, build defence-in-depth and shift-left.
To find out how Cloud Maker Overwatch can help keep you secure, shift-left and adopt DevSecOps, head over to https://cloudmaker.ai and sign up for a free trial today.