Rethinking cloud security to speed development while maintaining data protection.
As enterprises are looking to innovate at speed, they’re also facing stringent regulations on data protection, increasing threats and the continual need for compliance. Can they move at the speed of cloud? Or are they slowed down by security considerations? Isn’t it possible to have both speed and security? This is not abstract or theoretical: I have these conversations with clients every day. And it can be done — you can achieve both speed and security.
To achieve both, you need to take a prescriptive approach that enables enterprise security and compliance teams to partner with application teams. You need to be sure that these teams have a structured approach to interact, work together and respect each other’s priorities. Your developers want to work at speed and scale; security teams want to protect your enterprise and your data. To do both, I suggest these five simple steps.
1. Use prescriptive controls to manage risk and compliance
Many in business think of regulatory requirements as difficult and onerous. They do take time and effort; look at the regulatory requirements for HIPAA, GDPR, FDIC, FCA or EBA, industry standards (e.g., the NIST) or global standards (e.g., PCI or ISO). But these requirements were not created in a vacuum — they’re there to protect you and the public. And full, top-down compliance in an organization pays real benefits to your data security.
Your security team can turn these imposed policies into standardized controls (e.g., based on NIST 800-53 standard). Then they should provide prescriptive implementations they would approve to meet those standardized controls (e.g., what technology is approved for cloud key management). Staying informed and current with the complex and ever-changing global, industry and regulatory requirements pays dividends in helping maintain data security.
2. Protect data and enable data privacy
Given increasing data breaches and stringent data security regulations, data protection must be at the heart of your security program. That said, recognize that not all data is equal, and one size doesn’t fit all. The steps you take to protect data depend on the sensitivity of the data. Confidential and sensitive data pose a high risk to the enterprise, if breached. Operational controls might be sufficient for public information (e.g., press releases or annual reports) and for internal data (e.g., internal emails and training materials). However, technical controls — where you have full authority and assurance around the data — are important to protect confidential and sensitive data. Confidential data can include employee pay stubs and consumer information, while more sensitive data may include financial transactions or personal identity information.
Technical assurance of your data spans across protecting data-at-rest, data-in-transit and data-in-use. Key management is critical infrastructure in cloud.
A clear distinction is that with operational assurance, your cloud provider makes the promise that they will not access your data and security keys; but with technical assurance, your cloud provider cannot access your data and keys. The solution to achieve technical assurance for keys is known as “keep your own key (KYOK).” KYOK provides a single tenant key management service with a fully dedicated hardware security module (HSM) that is exclusively controlled by you and is built on technology that is certified to industry’s highest FIPS 140-2 Level 4 standard. This solution can be used to encrypt data-at-rest in databases and storage systems and to secure the private keys to secure data-in-transit.
You should also take a holistic approach to protect your sensitive data while it’s in use — spanning compute, containers and databases. Confidential computing is a security technology that protects data-in-use within secure enclaves in a computing environment. You should architect your solutions so that virtualized workloads run within confidential servers, containerized applications are deployed within confidential containers and data is stored within confidential databases. Thus, leveraging technologies like KYOK and confidential computing provides greater privacy assurance to companies that their data in the cloud is protected at-rest, in-transit and in-use.
3. Manage access built on zero trust architecture
There’s much more to zero trust than “Never talk to strangers.” As outlined in NIST’s Zero Trust Architecture, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” Taking a zero trust approach to managing access starts with your most valuable asset — data. A data-centric security approach begins with a series of questions:
- What type of data is it?
- Who can access it?
- Where can they access from?
- Do you have controls in place to allow access only on a need-to-know basis?
You must design your solution so that you make explicit decisions on access to your data at every step of the way. This can be achieved by defining and enforcing a collection of controls across network, identity, application and endpoint. For instance, never allow direct Internet access to your sensitive data; consider network-based access controls with an “allow list” of locations from where you want to allow data access. Authenticate and only authorize identities (users or machines) who are designed to have access, define granular access policies and require multi-factor authentication when accessing sensitive data. Make sure you maintain a healthy security posture where vulnerabilities are fixed and security configurations are done right.
4. Achieve continuous detection and response
The expression “crime never sleeps” has never been more true. Hackers around the globe can target any enterprise at any time. You can’t just lock the door and go home. Cloud misconfiguration is a major security breach risk and accounts for 15% of annual breaches, on average. You not only need to be sure your cloud deployment is configured correctly, but that it stays configured correctly. Continual monitoring of your security and compliance posture is crucial. The security team can define a set of security requirements that an application is expected to meet. Those requirements can be codified into a set of policies and rules that can be continually monitored by a cloud security posture management solution. This way, you can detect any drift against your desired posture and take corrective action to bring the solution back to your desired state. A comprehensive detection and response solution will give you the ability to verify security and compliance posture and gain security insights by detecting suspicious behavior that could indicate threats. Look to balance a continual view of potential threats with a compliance view of meeting your controls.
5. Infuse security and privacy with DevSecOps
To do security right, the way security is factored in development lifecycle needs to shift left. The cloud development and operations model (DevOps) is driving culture and organizational changes in enterprises, with application teams having to take on more ownership for the security of the overall solution. The key is a collaborative environment where the development, operations and security teams can work together to integrate security into this process — thus resulting in a seamless DevSecOps process. Such an approach will help infuse security and privacy measures into every step of the application lifecycle — design, build, deploy and manage.
Security teams should define prescriptive controls based on specific workload and data types (e.g., regulated workloads). Developers can then codify those control requirements into reference architectures and create repeatable deployment patterns that can be integrated into their continuous integration (CI) and continuous deployment (CD) toolchains. They can define appropriate policies and gates such that the decision to proceed with deploying to production will be dependent on whether the security configurations meet the controls. Their service reliability engineering (SRE) and operations team can be set up for continuous detection and response so that they maintain a healthy security and compliance posture.
In summary, it’s no longer a question of whether you need more speed or greater security. You need both, and you can achieve both. At IBM, we’ve seen this with many clients and deployments where they have the confidence to have all their teams work together. This is a fantastic journey, and we hope we have the chance to go on it with you.
For more background on data breaches and their prevention, download the report from IBM Cloud and IBM Security, Cost of a Data Breach: A view from the cloud 2021.
Learn how to govern cloud resource configurations and centrally manage your compliance to organization and regulatory guidelines.