With the cloud adoption, the security needs to be rethought and the approach needs a fresh look. The traditional approach to the security is restrictive and control driven. With cloud in the center the agility and speed are key drivers for the adoption. The security needs to be integrated right from the development process, with DevOps pipeline and automated surveillance. This has led to Security by Design.
Security by design is an approach to build the application and systems which have one of the key design parameters as security. This approach is opposite to the working in the environment where security is audit driven and afterthought. Security by design is an approach where you consider that malicious practice is expected to happen, design should be such that it has minimal impact due to any of such security attack or malicious activity. The design of any system or application should consider graceful handling of such malicious acts /events by following approach.
- Build a zero-trust approach, privileges and access should be highly classified
- Anticipate security vulnerabilities and discover security vulnerabilities as you develop code
- Real time Logging and Monitor the systems
- Control Vs Surveillance – Build system which provides real-time security audit control
Security by design is achieved in 4 phases
Phase 1: Requirements definition and security outline:
Security requirements depend on the criticality of the system and the level of security required. The security enablement is taxing and complex, this needs additional layers of engineering, it becomes important to define the level of security required. The security control matrix should be well defined to make sure we have the requirement definition broken down into different controls. The security standards also help to build the control matrix required for the different IT systems.
Phase 2: Build DevOps pipeline with automated security validations and verification:
The security needs to be integrated in the coding practices and the validation needs to be part of the build and deployment process integrated into the DevOps pipeline. This helps in identifying the security loopholes at the coding level, making sure the system is secure to handle the code level malicious attacks. Defining the right tool chain for DevOps pipeline, which has built-in security level code validations is required. This also helps in the making sure that the code quality is high through the development life cycle.
Phase 3: Identify the tools for different layers of security:
Security needs different layers to make sure IT system is secure. These layers can be divided into the following areas
- Operating system
- Code and Data layer
We need to identify the requirement of the security systems at all the levels and build automated tool chain to handle different layers.
Phase 4: Setup Real-time security audit controls:
The continuous audit and compliance are key metrics to measure the security of IT systems. In the dynamic cloud environment need to real-time compliance audit and reporting. This makes sure the systems are secure as per the control requirements. This is achieved by building automated governance systems for controls to be audited in the real-time.
Cloudlytics – SaaS based tools, cloud security and automated audit compliance.
Cloudlytics has been built by keeping in mind the requirement of phase 3 and phase 4 mentioned above. Cloudlytics helps with automated real-time governance and audit controls. It has building blocks for the strong real-time monitoring of the cloud environments.
Cloudlytics provides per-packaged automated real-time audit compliance to industry standards on Cloud such as PCI, HIPPA, GDPR, MAS, ISO and others.
Future of security by design:
With the development in the field of Machine Learning (ML) the automated validation and verification will be done to extend to self-healing systems. The compliance and automated audit will automate the self-control needs and build on the control requirement. This will help in defining the controls as and when new vulnerabilities are identified. Machine Learning and advance analytics will chance the security landscape completely.