The secure-by-design concept involves developers ensuring security best practices are followed through all stages of software development and deployment.
Designing and developing software following a security-by-design approach also mean developers and other stakeholders -- including information security, risk management and IT operations teams -- work to mitigate potential software threats and vulnerabilities through a variety of controls and processes.
As more organizations turn toward the cloud, there's no better time than now to discuss how organizations can apply security-by-design principles to cloud engineering and operations.
Here are three areas in the cloud where organizations should apply security-by-design principles.
Developers and other stakeholders should follow the shared responsibility model and use built-in security-by-design principles within their cloud service provider's (CSP) infrastructure.
These built-in security controls from the provider can include the following:
Google Cloud, for example, describes several tactics employed to harden its kernel-based VM hypervisors, including vulnerability research, attack surface reduction and source code tracking.
The second opportunity to build a secure-by-design cloud infrastructure is in the DevOps pipeline. Given the nature of software-defined infrastructure and deployments, there are many ways to ensure security controls and considerations are baked into cloud-focused applications.
To begin, DevOps and security teams should engage in threat modeling to ensure all parties understand the design of the applications being built and deployed, the threat surface, the controls available and the technologies they're going to use, including CSP offerings. Threat modeling should enable organizations to make design decisions with security as a priority before developing and deploying applications and components.
Additional security-by-design principles in the DevOps pipeline should include the following:
Organizations should embed security-by-design principles in the operational guardrails that run in the CSP. Guardrails can range from secure cloud configuration settings -- for example, disabling the root identity for cloud accounts and subscriptions -- to the enablement of cloud monitoring and assessment services.
In AWS, for example, monitor for unusual behavior that may indicate security events or other issues with services such as Amazon Inspector, GuardDuty and Detective. These services help evaluate the environment and alert security professionals of issues when needed. AWS Resource Access Manager can also help proliferate and share secure configurations across accounts.
Enabling operational guardrails early in the development and design phases -- ideally, by the time threat modeling commences or completes -- can facilitate cloud deployments that not only have secure code and components, but also manifest and operate in a well-secured environment.
Top DevSecOps certifications and trainings
Is cloud critical infrastructure? Prep now for provider outages
How to create an IAM user in AWS
Security and privacy remain a stumbling block for cloud computing, according to information experts at the Trust in the Digital ...
Amazon Web Services has added multifactor authentication to its WorkSpaces cloud desktop service, the first step in a larger ...
At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for ...
Intel will release three generations of 200 GB, 400 GB and 800 GB infrastructure processing units over the next four years. The ...
SDN, zero trust and infrastructure as code are popular forms of network virtualization within the data center, moving away from ...
Starting with MPLS VPNs and SD-WAN, new carrier network virtualization options, like 5G network slicing, are becoming virtual ...
Tech companies could start feeling pressure from consumers to limit data collection should Roe v. Wade be overturned.
Modzy and Snowplow are among the early-stage companies aiming to move AI from science project to enterprise asset. Success will ...
How the CEO and other top leadership view the IT department has a major impact on how CIOs should make their business cases for ...
Organizations that support both Windows and Mac desktops must approach them differently, but there is plenty of overlap with the ...
Organizations that need desktop management software should survey a variety of platform types. UEM can often provide the most ...
Organizations with both Mac and Windows devices can use some of their Windows-focused AD setup to address macOS management tasks.
IBM's focus on hybrid cloud efforts, including Cloud Paks and OpenShift, makes for a competitive option. See if its strategy fits...
IT teams can use a range of native management and monitoring tools from Google to ensure their public cloud deployments are ...
It's easy to forget about data centers when you run workloads in the cloud. Learn how AWS Regions and Availability Zones differ, ...
In this e-guide: We take a look at our 2022 Salary Survey results for India. We will be breaking down which job functions get ...
In this e-guide: We take a look at our 2022 Salary Survey results for ASEAN. We will be breaking down which job functions get ...
In this e-guide: We take a look at our 2022 Salary Survey results for ANZ. We will be breaking down which job functions get paid ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info