Long gone are the days when security and legal privacy were topics that only existed in the agenda of lawyers and security teams. Society and technology advancements have redefined the rules and now data security compliance and privacy are at the forefront of everyone's minds. Privacy regulations such as the General Data Protection Regulation (GDPR) in the EU, and California Consumer Privacy Act (CCPA) are major strategic priorities for organizations that lead to driving and promoting security in software design.
How can developers assist in meeting these challenges? In this blog we’ll take a look at five developer-driven ways to assist in designing cloud security that takes compliance goals into account.
Read on below as we cover:
On the technology side, two (r)evolutions have changed the rules of the game. First, with the public cloud becoming mainstream, organizations have to follow the cloud’s shared responsibility model. This model splits the responsibility of cloud security between the cloud provider and the customer. This has effectively led to software development teams incorporating security into the design of their products. Second, with the DevSecOps concept, security became a core integral part of the overall software development.
These security priorities often aren’t fully understood by engineers, who have the entire cloud’s resources at their disposal, and don’t want security restrictions to slow down the development process.
The business perspective somewhat motivates the engineers in this direction, as it’s important to ship the new features as quickly as possible. Since time to market is crucial, engineering teams are often tempted with workaround approaches that might circumvent security controls. The mindset and day-to-day actions of a software developer are important for the overall security in the organization. If security is going to be handled properly, devs need to be on board.
People don’t need nutrition experts to tell them that eating healthy food is good for their well being. It’s common knowledge. Likewise, software developers don’t need security experts to tell them that following development best practices and avoiding workarounds is critical for cloud security and privacy. But do they have to be the ones responsible for it?
While security experts have a vital role in providing valuable in-depth information, validation, guidance, and designing security controls, it is in the hands of software developers to plan and develop the systems following guidelines and established security practices. Therefore, the answer to the question about who is responsible for security and compliance— security experts or engineers—is both.
However, it’s important to reflect on how this manifests in the real world for software developers. In fast-paced engineering environments, it’s often hard to keep security as a priority and at the top of the mind. What can be done to help?
Below we’ll see five different ways software developers can use to help with security compliance in their day to day work without compromising the development and innovation speed.
When we see news headlines about data breaches and information exposure, the popular imagination goes to hackers performing elaborate attacks. While advanced, persistent threats and state sponsored attacks are very real and do exist, the most common scenario is far more mundane, and easily preventable: human error and misconfiguration. Using misconfigured public cloud services is the cause behind some of the most expensive data breaches that have happened to date. Even worse, studies suggest that 99% of all misconfiguration in the public cloud currently goes unreported.
Software developers can change this pattern by adopting configuration management tools and processes. Instead of manually configuring cloud resources in web consoles, developers can take advantage of infrastructure-as-code tools such as CloudFormation, Terraform, and Serverless Framework.
Using these management tools, any configuration and infrastructure changes go through the same code review process, making it easier to catch potential misconfiguration mistakes. With configuration management and automation, developers can also increase their speed and efficiency, with documented, predictable, and repeatable cloud infrastructure across multiple environments (development, staging, production).
With the rapid evolution of cloud capabilities and adoption of DevOps culture and practices, the recent years gave us a huge increase in tools and services that heavylift the complexity of different cloud security compliance aspects. Yet, many of those advanced services are still fairly unknown and offer developers a unique opportunity to step up their security game.
Leveraging readily available security services and cloud security compliance solutions such as NetApp Cloud Data Sense (AI-driven data mapping for better data governance), Azure Security Center, (advanced threat protection for hybrid workloads), or AWS Trusted Advisor (checks and guidance to optimize infrastructure and increase security and performance.) These tools are easily accessible to any developer and can make a significant difference in your organization's security strategy.
One of the most important and strategic goals in modern software development in the cloud is to automate as much as possible in order to add maximum business value. A key part of that automation goal is to establish a continuous integration and continuous delivery (CI/CD) pipeline. An automated CI/CD pipeline increases the efficiency of a development team, enabling the building, testing and deployment of new features to happen much faster.
What is often overlooked is the importance that continuous integration and delivery has in the organization security strategy. A CI/CD pipeline presents an opportunity to automate security validation and uncover potential problems. A software developer can incorporate security best practices and leverage services and tools to gain new insights on cloud security and compliance. Software artifacts such as containers can be scanned for vulnerabilities, source code can be profiled and analysed using built-in services (e.g., AWS CodeGuru) to uncover bugs and critical issues. This improves the efficiency of your cloud based applications and prevents problems before your changes are deployed to production.
There was once a time when end-to-end encryption was often considered utopian and unattainable. The operational complexity of properly managing encryption keys and SSL/TLS certificates, combined with nightmare service configurations, made developers shy away from prioritizing such tasks.
With cloud computing, this is no longer the case. In fact, it is almost criminal today not to leverage the built-in encryption capabilities. Managed services such as AWS KMS make it incredibly easy to manage encryption keys and use them to encrypt and decrypt virtual machines, databases, storage resources and pretty much any piece of data at-rest.
Similarly, issuing and managing SSL/TLS certificates is easy and straightforward, making in-transit encryption a breeze. There is no excuse now to not implement end to end encryption and help protect your data from man-in-the-middle attacks and unauthorized access.
In today’s software development culture, security practices are not exclusive to restricted security expert groups. A popular practice among engineering teams looking to establish their DevSecOps processes is security threat modeling. This risk analysis concept has been used for decades by information security experts to identify, mitigate and understand threats.
There are several ways to do security threat modeling, but regardless of the method you chose, the objective is to identify potential threats and blind spots in your system architecture. Putting yourself and your team in the shoes of a potential attacker, and using the threat modeling framework as guidance, you will uncover valuable insights and better technical understanding of the changes needed to improve your system security and compliance.
The simplicity of the security threat modeling methods combined with the outcome and great value it provides for security and compliance makes this a powerful tool that software developers can take advantage of on a regular basis without much overhead.
We live in an exceptional time for software development. There has never been so much information and tools available to implement top notch security and compliance controls. On the other hand, with a hyperconnected society exchanging huge amounts of data, the stakes have never been higher.
It is imperative that software developers take an active role in the organization's security strategy and as we suggest above, it all boils down to adopting best practices and choosing the right tools in the day to day.
One of the tools software developers have at their disposal is NetApp Cloud Data Sense, the new data mapping and reporting tool for data stored on-prem, in the cloud with Cloud Volumes ONTAP, Azure NetApp Files, and Amazon S3, or in databases such as MongoDB, Oracle, MySQL and more. Taking advantage of intelligent AI technology, Cloud Data Sense makes it easier for companies to meet compliance requirements.
Sign up for Cloud Data Sense here