In recent years, the majority of tech companies have embraced and adopted cloud computing for their IT infrastructureadopted cloud computing for their IT infrastructure. This has made the transition to a mandatory work-from-homemandatory work-from-home for engineering teams technically easy, in response to the efforts to curb the further spread of COVID-19.
Many engineering teams are no strangers to remote work. It is quite common to have to collaborate with teammates across the world. But this abrupt shift to a fully remote team is unprecedented and this sharp transition may be uncomfortable for many. Lack of in-person interactions and tight communication can create an error-prone environment with ineffective code reviews and work handoffs. That, combined with the aggressive cost-cutting measures in response to the financial crisis, is a recipe for chaos attackers thrive on.
From the Capital One cloud data breach in 2019 to the many cases of data leaks that affected large enterprises, it is clear that cloud infrastructure and the data within it will be a big target for hackers, especially during this financial crisis. Many businesses may not be able to withstand the damage of a security breachwithstand the damage of a security breach.
Amid the fast-evolving workforce during this COVID-19 crisisfast-evolving workforce during this COVID-19 crisis, are there low-hanging fruits that remote engineering teams can leverage to build more securely in the cloud? Let’s have a look.
Model After Widely-Adopted Cloud Cybersecurity Frameworks
Cybersecurity frameworksCybersecurity frameworks help cloud architects and engineers design and build secure, efficient, and resilient infrastructure. They also help organizations understand best practices and implement IT security policies. The CIS Benchmarks, maintained by the Center for Internet Security, provides frameworks covering an array of over 100 different operating systems, network devices, applications, and cloud providers.
Unlike most native frameworks that cloud providers have for their own applications, which can be challenging to navigate and derive actionable security tasks from, the CIS Benchmarks provide a good balance between ease of adoption and specialization.
Each CIS Benchmark provides prescriptive guidance for establishing a secure configuration posture for your IT infrastructure, including detailed descriptions of potential vulnerabilities together with clear auditing and remediation steps. For example, if you run your applications on AWS, you will find the recommendations in CIS Benchmarks for AWS familiar and highly actionable as they specifically tailor to AWS technologies.
Additionally, many of these benchmarking can be automated through Cloud Security Posture Management (CSPM) tools like WardenCloud Security Posture Management (CSPM) tools like Warden that provide constant feedback on security posture.
Engineering teams that adopt these recognized security frameworks will find it easy to abide by a set of security best practices in their operation, whether it is remote, on-site, or a mix of both.
Utilize Infrastructure as Code (IaC) as a Security Enabler
IaCs are growing in popularity today, and if your team has not yet adopted it, it pays for you to explore the possibilities. Popular IaCs include AWS CloudFormation, Red Hat Ansible, Chef, Puppet, SaltStack, and HashiCorp Terraform. Like any automation process, the obvious benefits of adopting IaC are speed, consistency, and cost. Security Security is often an underappreciated aspect of IaC that deserves more credit.
At a glance, we take a look at how the main benefits of IaC also lead to easy security wins for engineering teams:
- Repeatable: The ability to create a production-ready duplicate of your entire infrastructure easily is critical to your disaster recovery strategy.
- Immutable: Cloud configuration is predominantly API-driven. By limiting write access to humans and automating deployment through Continuous Integration and Continuous Delivery (CI/CD), we can enforce immutability and avoid configuration drift.
- Reviewable: Code review is a practice widely adopted by engineering teams. By codifying your infrastructure, you can apply the same software quality assurance process and toolchains to your cloud configuration.
- Auditable: When you manage IaC files in your version control system, you maintain a history of configuration changes. This can provide valuable insights during an investigation (eg. timestamps of any security-related misconfiguration)
- Manageable: You can apply the same access control policy on your source code to your IaC files.
When all there is for communication is through telecommuting with apps such as Zoomtelecommuting with apps such as Zoom and Polycom, an IaC approach can help your team to not only lower the chances of infrastructure configuration errors but also react quickly to disasters, if they do happen.
Harden Cloud Configuration, Your First Line of Defence
Not all cloud workloads are deployed through a software development process. Various teams and functions within an organization may use the cloud to experiment and innovate. This often results in ad hoc deployments that are hard to police and securead hoc deployments that are hard to police and secure. As engineering teams implement IaC and follow security best practices, the one thing that they need to continuously monitor is cloud infrastructure configuration.
According to Gartner, through 2025, 99% of cloud security failures will be the customer’s fault. From data breaches seen in Accenture, GoDaddy, Microsoft, and other large enterprises, it is clear that organizations need to take stock of how they manage their cloud resource inventory.
As your team continues a Work-From-Home arrangement, consider doing a fortnightly or monthly audit on your cloud resource inventory, to catch rogue resources that may have slipped under the radar. Shutting down unused resources not only saves costs, but it also reduces your security risk exposure in the cloud. Additionally, investing in a CSPM tool can help with meeting the growing need that organizations have in monitoring their cloud environments for security vulnerabilities.
Make Security A Part of Your Engineering Culture
The cloud is driven by applications and APIs, and regularly sees new microservices, containers, and serverless functions. With these constant new layers of abstraction and complexity, engineering teams require an easy-to-adopt, scalable approach to security management.
Integrating security into the Software Development Lifecycle — or Secure Software Development Lifecycle (SSDLC)— is a new approach that organizations are adopting to mitigate critical security risks, all while keeping engineering teams focused on creating and maintaining functional software. Some best practices to integrate this into your team’s culture include:
- Implement security as a product feature. Security features can be a powerful product differentiator in your product roadmap.
- Keep security top of mind by facilitating communication channels where people can raise security concerns to engineers.
- Treat security threats like bugs, a natural process of software development and act on them the same you would act on other issues.
As your organization buys into this SSDLC culture, it will get easier for your engineering team to prioritize security features even as the team scales and transitions to new working environments.
A Permanent Shift In The Work Environment?
With COVID-19 changing the way we currently workCOVID-19 changing the way we currently work, it may well be an interesting opportunity for engineering teams to see how the future of an office-less or office-light working reality looks like. Maintaining a cadence of effective collaboration while being fully remote is tough enough without mentioning security. But facing this reality and the challenges it brings head-on now will help your team to come out of this crisis stronger than beforecome out of this crisis stronger than before.