Ross Young, Director, Capital One


When moving to the cloud, the way you secure things goes hand-in-hand with how you lower maintenance and development costs. For example, when you build your cloud architecture, are you talking about EC2 servers, containerized servers, or Amazon serverless applications? As you go further down that path, the cloud provider provides more functionality. You no longer have to worry about patching the operating system, configuring, monitoring, and scaling. All of those things are now managed by the AWS provider. This impacts the way you develop and the way you secure your architecture.

In a dynamic cloud environment, the old security groups are not as important. What becomes more important are service meshes and Layer 7 firewalls where you’re limiting the scope of applications by controlling which microservices talk to which APIs. The challenge becomes how to create those types of services in an enterprise service-level offering so that all of your developers from whatever lines of business can now utilize them.

It starts with everyone agreeing to a trusted DevSecOps or continuous integration, continuous delivery (CI/CD) pipeline. Organizations begin by looking at the earliest point at which they can find anything bad, which is typically the integrated developer environment (IDE), and that’s where they implement a code-scanning tool. They also have a code check-in process that examines the quality of source code through static code analysis.

The pipeline also needs to support component analysis that looks at all the code dependencies to see if dependent components are properly patched and consistent, or what known vulnerabilities are in libraries you are using. The challenge at this stage is optimizing the tools to focus on the vulnerabilities that matter most in your environment, to make sure you are seeing everything and scanning what you need to scan, and how you build more security checks into the pipeline.

Then you analyze the code in production and scan for application-layer vulnerabilities. Doing all of those things helps you have a more proactively secure environment. To gain runtime protection, you still need tools that provide continuous real-time monitoring.

This is an excerpt from the Container and Cloud Security Series.  This series was generously sponsored by Lacework.