Engineers Own Cloud Security and They Need Better Tools
Join the DZone community and get the full member experience.Join For Free
Just about everyone agrees that the cloud is the biggest transformation in IT in decades, but you’ll hear many different reasons why. OpEx vs CapEx, no need to manage physical data centers, “agility", and other buzzwords. But, the real reason why cloud has had such a profound impact is because of the empowering role it has given developers.
In the data center, developers could move only as fast as the infrastructure and security team. But with cloud, developers own all of those functions — whether the organizations that employ them realize it or not. The effect has been profound. Cloud-based companies generally out-innovate their competition in strides.
Cloud security, unfortunately, is an area wrought with frustration for developers and risk for organizations. The cloud is different than the data center in both how it works and how to secure it. There’s no perimeter. Identity and access management is a new network. Traditional security tools don’t work in the cloud, and security professionals often don’t understand how the cloud works. Even organizations widely recognized as cloud security leaders can fall victim to their own misconfigurations.
The solution to cloud security lies squarely with the developer. The cloud is 100% software-defined. Everything is knowable, and everything is programmable. Cloud security is about the secure configuration of resources. When configuration is programmable, cloud security becomes a software engineering problem, not a security analysis one. It’s a problem tailor-made for engineers to tackle.
You may also like: Cloud Security: What Every Tech Leader Needs to Know.
So, why are engineers frustrated? And why do misconfiguration breaches keep happening? Tracking all of the resources and configurations for at-scale cloud environments involves countless hours clicking through consoles, updating spreadsheets, reviewing alerts, and drawing diagrams. None of those are engineering tools. They’re also fountains of human error.
Adding to this frustration is the age-old friction between application teams that want to innovate and move fast and security and compliance teams that are typically tasked with slowing them down in order to review, audit, and certify everything’s secure and compliant. Learning that you need to re-architect half of your application to address security issues and policy violations when you’re ready to deploy is never fun.
Naturally, developers have empowered themselves to address these challenges with software engineering solutions. They’ve adopted a “Shift Left” mentality to security and compliance by moving these functions earlier in the software development life cycle (SDLC), when making such corrective changes and is less costly and time-consuming. And they’ve developed policy-as-code as a means of automating the certification process and greatly reducing human error.
While the “Shift Left” movement has mostly focused on application security, there’s a considerable movement underway to include cloud infrastructure security in that effort as well. The Cloud Native Computing Foundation's open source Open Policy Agent (OPA) project provides a policy-as-code framework for infrastructure, which uses the Rego policy language. OPA has enjoyed significant traction with the Kubernetes community and is seeing more adoption for cloud infrastructure in general.
Earlier this year, Regula, which uses OPA to evaluate Terraform infrastructure as code for potential misconfiguration vulnerabilities and compliance violations pre-deployment, was released as an open source project. And Fugue Developer is a free service that provides engineers with tools to visualize running cloud infrastructure and detect misconfiguration and policy violations using OPA rules.
While the threats to cloud-based data are becoming more sophisticated and the job of eliminating cloud misconfiguration vulnerabilities grows more complex, it’s never been a better time to be a cloud-based developer. The tools exist for developers to effectively own the security of their cloud infrastructure environments where traditional security tools and methods have failed. Organizations that invest in empowering their engineers to own the security of their cloud infrastructure have a fighting chance at avoiding cloud-based data breaches.
Opinions expressed by DZone contributors are their own.