Over 50% of companies admit to cutting back on security measures to meet a business deadline or objective, according to our recent SecOps Report. In other words, security is falling by the wayside, even as companies invest heavily in DevOps. With DevOps able to move more swiftly than ever in the cloud, security is often mistakenly viewed as a business decelerator, serving as an impediment to DevOps’ efficiency.
But strong security is not only vital to a healthy business in its own right; it can also speed sales cycles, drive revenue, and clear the way for new business opportunities. The key is integrating security with development and operations workflows and embedding it within business practices from the outset.
To do this, it’s necessary to get all stakeholders on the same page around security goals. One way to do that is to build a shared framework. With the help of the new Threat Stack® Cloud SecOps Maturity Framework, benchmarking your security maturity is a straightforward process of evaluating your strengths and weaknesses, and this enables you to develop a clear and actionable plan to move forward.
Five Areas to Focus on to Strengthen Your Infrastructure
Essential to the Maturity Framework, which is part of our new Cloud SecOps Program℠, are five principles that are designed to help you continuously improve your security posture. It’s important to note that your business is unique, with its own individual risk and compliance needs, so it’s perfectly fine to prioritize some of these principles over others. No one principle is more important than any other, and you need to decide where to focus your efforts.
1. System Access & Users
The principle of least privilege should always be top of mind for organizations when it comes to system access and users. While you may have modeled it into your policies, achieving security maturity in this area means that you have also embedded the principle of least privilege into your tools and day-to-day processes. By systematically automating and verifying your user access policies, you reduce the risk of human oversight that could enable insider threats.
2. Patching & Vulnerability Management
Patching vulnerabilities seems like an easy enough task, but according to the 2017 Verizon DIBR, companies aren’t doing it with nearly enough regularity, giving attackers plenty of time to exploit vulnerabilities that are months (or even years) old. To head vulnerabilities off at the pass and achieve security maturity, your organization’s approach to patching should be standardized, automated, and built with sufficient resiliency to withstand automatic software updates.
3. Infrastructure Control Plane (AWS Console/API)
When operating in the cloud, APIs and management consoles are the functional equivalent of data center access. Unlike with a data center, however, securing only your own networks is not enough in the cloud, because this approach leaves APIs exposed. To achieve SecOps maturity with respect to the infrastructure control plane, it’s necessary to evolve your security approach by handling public cloud management consoles and APIs with the same level of sensitivity as a data center. This involves automating the shutoff of access to insecure or potentially compromised systems.
Network topologies are still the primary means by which security and operations teams restrict access between systems, but with environments that are more complex and interconnected than ever before, traditional network security controls aren’t sufficient. Instead, servers should be grouped by role, leveraging automation to establish small network paths to model trust between peers, and architecture should run over the WAN rather than LANs. SecOps maturity in this area, therefore, means that you have modeled authentication and authorization and are not relying on the underlying network topology to define security.
5. Runtime & Services
Both operations and security teams benefit from the standardization of run times and software management, continuous integration, and streamlined software development life cycles, so the alignment of goals in these areas should be relatively easy. With goals aligned, infrastructure and runtimes can function as a shared utility, allowing engineers to innovate within these common structures. It’s necessary to apply the same principles across teams in order to achieve SecOps maturity with regard to runtimes and services, thereby increasing efficiency and helping to minimize the risk of failure.
Making the Grade
Each of our five principles can be ranked in accordance with the five levels of maturity defined in our Maturity Framework. These levels run from reactive, ad hoc, manual processes where security and operations are siloed (Level 1) to standardized, optimized, highly automated processes that leverage shared goals and a heavy focus on feedback and improvement (Level 5).
We can’t stress enough the importance of being honest with yourself when using the SecOps Maturity Framework to evaluate your organization. While a high score may reassure executives, gaming the numbers won’t get you anywhere if your score is not a realistic reflection of your actual business. The goal should not be to achieve a high score from the outset but, rather, to gain insight into where you currently stand so you can improve your overall security posture and work toward a higher ranking in the future.
It’s also worth noting that the journey doesn’t end with a score of 5. Improvement should be continuous as your organization changes, infrastructure shifts, and the threat landscape morphs. In order to achieve real SecOps maturity, take the time to define what Level 6 might look like for your company, and think about the ways in which you can achieve automation and collaboration on an even deeper level.
If you would like to learn more about Threat Stack’s Cloud SecOps Maturity Framework, click here, and if you want to begin baselining your organization’s cloud security maturity as a start to strengthening your security posture, feel free to take our Cloud SecOps Maturity Assessment.