For Better Security and Efficiency, Add CSPM to DevOps Processes

IT professionals don’t always associate cloud security posture management with Infrastructure as Code, because CSPM and IaC typically involve different teams. The staffers responsible for securing resources in the cloud and maintaining compliance aren’t the same people who create those resources originally. That disconnect can be a missed opportunity, so let’s look at the alignment between these two important areas. 

I like the analogy of a leaky boat when thinking about cloud security. You can make a series of quick fixes, plugging holes whenever you find them. But it’s better to take the boat out of the water and figure out how the holes got there in the first place. Bringing CSPM and IaC together can help an organization spot potential security issues, such as misconfigurations, before they have a chance to multiply.

CSPM solutions shed light on the current state of resources that live in the cloud. But how did those resources get there? Going back to the boat analogy: Where did the holes come from?

Many organizations use IaC to provision and spin up resources in the cloud. The benefits of automation are tremendous. The drawback to this automation is that without proper security policy, IaC can potentially increase the attack surface and cause misconfigurations to multiply.

Proactive scanning with CSPM makes it possible to identify misconfigurations for remediation. However, the upstream pipelines and provisioning process that created the resource should also be addressed. IaC templates and resources should be scanned for misconfigurations in the pipeline, and appropriate policies should be set so developers are made aware of a misconfiguration even before they provision a given resource in the cloud. This is often referred to as Policy as Code.

The DevSecOps approach aims to make development, operations and security work cohesively to understand how resources are provisioned, what the business needs are and how to merge those processes. Its goals are to provide a frictionless experience for those who consume cloud resources while applying the right policies and guardrails to do so securely.

These partnerships are important because developers and operations team members aren’t security experts. They may understand the risks and potential ramifications of misconfigurations, but they may not know specific organizational policies and how to incorporate them into their workflows. 

The general objective of DevSecOps is to “shift left”: to incorporate security much earlier in the process, with guardrails that enable developers to do their jobs securely and quickly. Developers should absolutely consult with security peers as they go, and security teams should look to partner with development and provide code reviews and feedback. CSPM, IaC scanning and Policy as Code can help by providing an automated way to understand the security posture of existing resources; codify security knowledge and get it in the hands of team members who need it; and enforce policy to prevent unnecessary downstream risk.

A core tenet of DevOps is to do things at the point where it costs the least amount of money to fix. The earlier you can identify issues in the process of creating resources, the faster you can give feedback to the people who are creating and consuming resources in the cloud. DevSecOps  solutions such as CSPM, IaC scanning and Policy as Code help organizations merge these processes and get people on the same page.

Story by:

Mike Mullen, a senior field solution architect for CDW’s Secure Cloud team. He is a knowledgeable cybersecurity professional focused on assisting companies as they develop security strategies for their public cloud and hybrid cloud environments. Mullen’s experience with businesses ranging from fledgling startups to expanding global corporations affords him a distinctive viewpoint for determining how security can advance business operations to achieve goals.

Kyle Jepson, a Senior DevOps Field Solution Architect for CDW. Kyle is focused on assisting clients with navigating the ecosystem of DevOps and cloud native solutions and services. He is responsible for delivering technology demos, training and scoping service engagements to help clients build core capabilities for their digital initiatives. Kyle is a Certified Kubernetes Admin.