DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Related

  • Compliance Automated Standard Solution (COMPASS), Part 7: Compliance-to-Policy for IT Operation Policies Using Auditree
  • Safeguarding Web Applications With Cloud Service Providers: Anti-CSRF Tokenization Best Practices
  • Demystifying Cloud Trends: Statistics and Strategies for Robust Security
  • Harnessing Security by Adopting Zero Trust Architecture

Trending

  • Why Infrastructure Efficiency Is Becoming the New Cloud Profitability Metric
  • Testing Strategies for Web Development Code Generated by LLMs
  • The AI Definition of Done
  • Workflows vs AI Agents vs Multi-Agent Systems: A Practical Guide for Developers
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. 12 Factor Framework for Building Secure and Compliant Cloud Applications

12 Factor Framework for Building Secure and Compliant Cloud Applications

Learn how a practical 12-factor framework embeds security, compliance, resilience, and governance into cloud-native applications.

By 
Josephine Eskaline Joyce user avatar
Josephine Eskaline Joyce
DZone Core CORE ·
Prashanth Bhat user avatar
Prashanth Bhat
DZone Core CORE ·
Ajay Chebbi user avatar
Ajay Chebbi
·
Jul. 14, 26 · Analysis
Likes (0)
Comment
Save
Tweet
Share
153 Views

Join the DZone community and get the full member experience.

Join For Free

It began with a late-night alert.

A critical cloud application, serving thousands of users, had just been flagged for a security violation. No “hack” had occurred; nothing obviously was broken. What appeared to be a minor misconfiguration had quietly exposed sensitive data. The system was still running. The business was still operating. But compliance? Already compromised.

The team scrambled. Was it an identity issue? A pipeline gap? A missing policy? Every layer seemed secure in isolation—but together, something had slipped through.

That night revealed a hard truth: security and compliance aren’t features you add—they are properties you design into every layer of a cloud application.

This is where a structured approach becomes essential—a way to think systematically about building applications that are not just scalable and observable but inherently secure and compliant by design.

This blog explores a 12-factor security framework to do exactly that.

What Does “Secure and Compliant by Design” Mean?

“Secure and compliant by design” means that security and compliance are built into the foundation of a cloud application—not added later as patches, tools, or audit activities.

Traditionally, teams would:

  • Build the application first
  • Test functionality
  • Add security checks before release
  • Prepare compliance evidence only during audits

This approach creates gaps because security becomes reactive and compliance becomes periodic.

"Secure and compliant by design" flips this model and introduces three key shifts:

  1. Shift left: Security and compliance should start early.
    • Secure coding practices
    • Dependency scanning in development
    • Policy checks in CI/CD pipelines
    • Outcome: Issues are prevented rather than fixed later.
  2. Continuous, not periodic: Compliance is no longer an annual or quarterly exercise.
    • Policies are enforced automatically
    • Systems are continuously validated
    • Drift is detected in real time
    • Outcome: You're always audit-ready.
  3. Embedded across layers: Security and compliance are enforced at every layer of the system.
    • Application layer – secure code, input validation
    • Infrastructure layer – hardened configurations
    • Identity layer – strict access controls
    • Runtime layer – monitoring and threat detection
    • Outcome: No single point of failure.

The 12 Factors Overview

Security and compliance are not a single layer—they are a system of interconnected controls surrounding and protecting the application at every stage. The proposed 12 factors are organized across five architectural pillars: 

Category
Objective
Associated Factors

Application Foundations

Establish secure, consistent, and portable application design principles

Codebase, Dependencies, Configuration

Identity, Trust, and Security Controls

Protect identities, secrets, and trust boundaries across the application lifecycle

Credentials & Secrets Management, Identity and Access Control

Runtime and Delivery Architecture

Govern application packaging, deployment, and runtime execution behavior

Build–Release–Run, Processes, Port Binding

Observability, Governance, and Compliance

Enable monitoring, auditability, policy enforcement, and operational visibility

Logs, Admin Processes

Operational Resilience and Scalability

Improve elasticity, fault tolerance, and operational continuity

Concurrency, Disposability, Dev/Prod Parity


The architecture diagram below shows the proposed structure of the 12 factors for secure and compliant cloud applications; the factors are grouped into five capability domains. Rather than functioning as isolated practices, these domains collectively establish a secure-by-design, resilient, scalable, and compliance-aware cloud-native architecture that supports both technical and business outcomes. 

Note: Operational resilience is not represented by a single control but emerges from the combined implementation of incident response, observability, workload protection, and robust infrastructure practices.



Operationalizing the 12 Factors

Modern cloud applications cannot use siloed security controls or compliance checks that come into play at later stages of the development process. Security and compliance should be built into the development lifecycle and applied consistently across architecture, deployment workflows, runtime environments, and operational processes.

The 12-factor framework outlines a framework for organizing security and compliance practices that consists of five key, interlinked layers: Application Foundation, Identity and Trust, Runtime and Delivery, Operational Resilience, and Observability & Governance. Each layer addresses a specific objective, but they all help to form a secure-by-design, compliant-by-default architecture.

Application Foundation

This layer builds the baseline structure and security posture of the application. It focuses on ensuring that application configurations, dependencies, and code artifacts remain consistent, reproducible, and externally managed.  Key considerations include:

  • Externalizing configurations and secrets
  • Managing dependencies through controlled mechanisms
  • Maintaining immutable and version-controlled artifacts
  • Standardizing application packaging and deployment patterns

Having a good foundation reduces configuration drift, minimizes hidden dependencies, and creates predictable application behavior across environments.

Identity and Trust

Identity becomes the primary security boundary in cloud-native systems where applications, services, and workloads communicate dynamically. This layer focuses on:

  • Strong workload and service identities
  • Secure authentication and authorization mechanisms
  • Principle of least privilege access
  • Secret lifecycle and credential management

The objective is to establish trusted interactions between users, applications, services, and infrastructure resources.

Runtime and Delivery

Applications continuously evolve through deployment pipelines and operational updates. Secure runtime execution and delivery processes ensure that changes can be introduced without compromising reliability or compliance.

Key areas include:

  • Secure CI/CD pipelines
  • Immutable deployment patterns
  • Controlled rollout strategies
  • Container and workload security enforcement
  • Policy-driven deployment validation

This layer enables rapid delivery while preserving operational safety.

Observability and Governance

Visibility and governance provide continuous assurance that systems operate within expected security and compliance boundaries.

This layer includes:

  • Metrics, logs, and distributed tracing
  • Continuous compliance monitoring
  • Policy-as-Code enforcement
  • Audit evidence collection
  • Security posture assessment and reporting

Effective observability transforms operational signals into actionable insights while supporting governance requirements.

Operational Resilience

Security and compliance also depend on maintaining application availability and handling failures gracefully.

Important capabilities include:

  • Self-healing mechanisms
  • Controlled failure handling
  • High availability strategies
  • Backup and recovery procedures
  • Automated incident response

Resilience mechanisms reduce operational risk and help maintain service continuity under adverse conditions.

These five layers build a comprehensive defense architecture where security, compliance, operational reliability, and governance are not discrete activities but rather integrated functions of the application. The subsequent sections describe each of the twelve factors in detail and explain their practical implementation within cloud-native environments.

Architectural Anti-Patterns in Cloud-Native Security and Compliance

Although many organizations are investing in cloud security tools and compliance frameworks, most of the time failures cannot be attributed to technology but rather to recurring anti-patterns, habits, and decisions that unintentionally introduce risk. Understanding these pitfalls is key in developing systems that are truly secure and compliant by design. Below are some of the most common anti-patterns:

  1. Hard-coded secrets and configuration: Credentials, API keys, or environment-specific settings are embedded directly in the source code.
    Impact: Increased risk of credential exposure, security breaches, and configuration drift.
  2. Over-privileged access and shared identities: Users and services receive permissions beyond operational requirements.
    Impact: Expands the attack surface and increases the blast radius of compromised workloads.
  3. Security as a late-stage activity: Security validation occurs after development and deployment activities are completed.
    Impact: Delayed remediation, higher operational cost, and inconsistent policy enforcement.
  4. Mutable infrastructure and manual changes: Direct modifications are applied to running environments without controlled deployment processes.
    Impact: Creates configuration drift and reduces reproducibility.
  5. Limited observability and reactive monitoring: Insufficient metrics, logs, and traces limit operational visibility.
    Impact: Slower incident detection and longer recovery times.
  6. Siloed governance and compliance processes: Governance activities operate independently from engineering workflows.
    Impact: Compliance gaps, duplicated effort, and reduced delivery efficiency.
  7. Ignoring runtime security controls: Security controls focus only on build-time validation and neglect runtime monitoring.
    Impact: Undetected threats and reduced visibility into active workloads.
  8. Missing continuous feedback loops: Application metrics, security events, operational incidents, and compliance findings are not continuously integrated back into development and operational workflows.
    Impact: Repeated failures, delayed remediation, limited learning from incidents, and slower improvement of security and operational practices.

Aligning With Industry Standards

The framework aligns with global security and compliance standards. The framework embeds governance, access control, observability, and resilience practices directly into the software lifecycle by not treating compliance as a distinct validation exercise. The table below shows how the 12-factor framework aligns with common industry security and compliance standards.

Standard / Framework
Primary Focus
How the 12-Factor Framework Supports It
NIST Cybersecurity Framework
Identify, Protect, Detect, Respond, Recover

Supports policy enforcement, monitoring, identity controls, and resilience practices

SOC 2

Security, availability, processing integrity

Improves auditability, access management, and operational monitoring

ISO 27001

Information security management

Encourages risk-based controls, governance processes, and secure operational practices

CIS Benchmarks

Secure system and workload configuration

Reinforces secure configurations and standardized deployment practices

Zero Trust Architecture

Continuous verification and least privilege

Strengthens workload identity, authentication, and access controls

HITRUST

Security and compliance for regulated data

Enhances governance, audit controls, and protection of sensitive information


Getting Started: A Practical Roadmap

Adopting a secure and compliant cloud application framework is not a one-time effort, and it is a progressive journey. This needs to be treated as a phased transformation with continuous improvements to be successful.

  • Phase 1—Assess and Baseline: Before implementing controls, it is critical to understand your current posture. 
    • Focus areas:
      • Inventory applications, services, and dependencies
      • Evaluate current security practices across the lifecycle
      • Identify gaps in identity, configuration, and observability
      • Map existing controls to compliance requirements (e.g., SOC2, ISO 27001)
    • Outcome:
      • Clear visibility into risk exposure and compliance gaps
      • A prioritized list of areas needing attention
  • Phase 2 - Establish Secure Foundations: Build the baseline capabilities that enforce security by default.
    • Focus areas:
      • Implement secure CI/CD pipelines with integrated scanning. 
      • Centralize secrets management and eliminate hardcoded credentials. 
      • Enforce least-privilege IAM policies 
      • Define secure configuration baselines (IaC templates, guardrails)
    • Outcomes:
      • Strong foundation layer aligned with Application Foundation and Identity pillars 
      • Reduced risk from common vulnerabilities
  • Phase 3 - Automate Security and Compliance: Manual processes do not scale in cloud environments; automation is essential.
    • Focus areas:
      • Introduce policy-as-code (OPA, Kyverno)
      • Enable continuous compliance monitoring
      • Automate security checks in pipelines
      • Detect and remediate configuration drift
    • Outcome:
      • Shift from reactive to proactive enforcement
      • Always-on compliance posture
  • Phase 4 - Strengthen Runtime and Resilience: Once the foundation is secure, focus on protecting systems in production.
    • Focus areas:
      • Implement runtime threat detection and workload protection
      • Enable network segmentation and encryption (Zero Trust)
      • Define incident response playbooks
      • Build resilience mechanisms (failover, DR, fault tolerance)
    • Outcome:
      • Systems that are not only secure, but also resilient to failure and attack
  • Phase 5 - Enable Observability and Continuous Improvement: Security and compliance must evolve with the system.
    • Focus areas:
      • Centralize logs, metrics, and traces
      • Correlate observability data for threat detection
      • Establish feedback loops from operations to development
      • Continuously refine policies and controls
    • Outcome:
      • A closed-loop system where insights drive ongoing improvement
      • Faster detection, response, and optimization

Example Technology Enablers

Layer
Capability
Example Tools

Application Foundation

Infrastructure as Code & Packaging

Terraform, Helm

Source Control & Artifact Management

Git, Artifact Registry

CI/CD & Pipeline Automation

Jenkins, GitHub Actions, Tekton, ArgoCD

Supply Chain & Security Scanning

Snyk, Trivy, Dependabot

Secrets Management

HashiCorp Vault, Kubernetes Secrets, IBM Cloud Secrets Manager

Identity & Trust

Identity & Access Management (IAM)

IAM platforms, Azure AD, IBM Cloud IAM

Workload Identity & Zero Trust

SPIFFE/SPIRE, Keycloak

Authentication & Authorization

OAuth/OIDC providers, Keycloak

Runtime & Delivery

Container & Workload Security

Falco, Prisma Cloud, Aqua

Deployment & Continuous Delivery

Jenkins, ArgoCD, Tekton

Network Security & Service Mesh

Istio, Linkerd, Service Mesh

Configuration & Posture Management

CSPM tools (Wiz, Prisma, AWS Config)

Observability & Governance

Metrics, Logs & Tracing

Prometheus, Grafana, OpenTelemetry, Instana

Policy Enforcement (Policy-as-Code)

OPA, Kyverno

Security & Compliance Monitoring

Splunk, ELK, Security & Compliance platforms

Operational Resilience

High Availability & Scaling

Kubernetes HPA

Disaster Recovery & Backup

Velero, IBM Cloud Backup and Recovery

Chaos Engineering & Testing

Chaos Monkey, Litmus

Incident Management

PagerDuty, Opsgenie


Conclusion

Imagine two organizations adopting cloud-native technologies. One continuously responds to security vulnerabilities, operational problems, and compliance needs as they become apparent. The other incorporates security, resilience, and governance through architecture from inception. 

Over time, the difference becomes clear. One struggles to keep up with change, while the other moves with confidence as security and compliance are no longer separate but inherent capabilities. 

The proposed 12-factor framework is ultimately about enabling this shift, moving from reactive controls toward secure-by-design and compliant-by-default cloud applications.


applications Cloud Framework security

Opinions expressed by DZone contributors are their own.

Related

  • Compliance Automated Standard Solution (COMPASS), Part 7: Compliance-to-Policy for IT Operation Policies Using Auditree
  • Safeguarding Web Applications With Cloud Service Providers: Anti-CSRF Tokenization Best Practices
  • Demystifying Cloud Trends: Statistics and Strategies for Robust Security
  • Harnessing Security by Adopting Zero Trust Architecture

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

  • RSS
  • X
  • Facebook

ABOUT US

  • About DZone
  • Support and feedback
  • Community research

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 215
  • Nashville, TN 37211
  • [email protected]

Let's be friends:

  • RSS
  • X
  • Facebook