SlideShare une entreprise Scribd logo

Building Security Into Your Cloud IT Practices

Mighty Guides, Inc.
Mighty Guides, Inc.

https://info.lacework.com/building-security-into-cloud-IT-practices?_ga=2.180934759.159353699.1554896554-756931316.1544692700

Logiciels
1  sur  18
Télécharger pour lire hors ligne
BUILDINGSECURITY INTOYOURCLOUDIT PRACTICES Expert advice on aligning security with DevOps. Sponsored by
2 INTRODUCTION In the real world of cloud infrastructure, much that happens is driven by business needs. Businesses face competitive pressures that require them to continually optimize customer experience, move quickly into new markets or release new products, and integrate their operations with those of partners, customers, or acquired businesses. This puts a lot of pressure on IT managers and developers. Coders are often incentivized to build fast, but not necessarily to build securely. At the same time, the risks of running vulnerable infrastructure are rising. How do IT professionals address the need to build it safer? To find out, we asked our security experts the following question: How can you make security an embedded discipline within your team? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
3 FOREWORD Build Security Into Your DevOps Practices Use cases across the different types of companies that operate workloads in the cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility, and scale are cited as reasons why organizations decide to use the public cloud. However, the ability to move at the speed of today’s technology innovation comes out on top more often than not, time after time. Many organizations can get so focused on pushing product that security takes a backseat. The result is inadvertent vulnerabilities in the underlying infrastructure that get missed. When that happens, and it happens a lot, companies, products, and users are exposed. Speed tends to be the focus for DevOps, but to truly implement and manage DevOps effectively within an organization, it has to have a more comprehensive approach from day one. A framework needs to be created that certainly emphasizes speed and pushing product fast, but it has to also include a cultural and technical approach that combines DevOps and security. An effective cross- pollination of these will result in the kind of approach you’ll hear about in this book. The people who are finding smart ways to build security into DevOps are helping to ensure rapid business agility with the right approach to security. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 11 Mauro Loda, Senior Security Architect McKesson.......................................................... 14 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 10 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 06 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 13 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 08 Ross Young, Director Capital One........................................................ 15
6 “DEVELOPERS NEED TO UNDER- STAND SECURITY FROM THEIR OWN POINT OF VIEW, SO THEY CAN INTEGRATE SECURITY INTO THE COMPLETE SOFTWARE- DEVELOPMENT LIFE CYCLE.” Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle. They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design, when they are building code and doing verification testing, and when they are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
7 Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical. But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability. n
8 “YOU CAN FILTER DATA FROM YOUR SECURITY STACK AND BUILD IT OUT INTO A HEAT MAP THAT HELPS TRANSLATE WHERE YOU ARE INTO BUSINESS LANGUAGE.” There can be a lot of business and operational reasons for getting code out as fast as possible, and developers are subject to those pressures. But by nature, engineers want to do the right thing. The best way to build secure code is to give developers the tools and incentives to do the job, and make security fun. You need to build security in from an application-security perspective, run code scans from an application- security perspective on a regular basis, and have your teams compete. Gamification is a great way to make security part of the job and to make it one of the things that drive the whole process rather than being an afterthought. Getting security right first costs much less than fixing it after the fact. Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
9 As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t work, and it’s more fun to work collaboratively. Another important part of building security into your cloud operations is maintaining an overarching enterprise security scorecard. You can actually filter data from your security stack and build it out into a heat map that helps translate where you are into business language. The goal is to show the organization where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then you can begin having a business conversation about how you address these risks, which are all based on highly technical factors. n
10 “WHEN IT COMES TO DEPLOYING APPLICATIONS IN THE CLOUD, AS YOU MOVE TOWARDS CONVENIENCE, YOU LOSE SECURITY.” When it comes to deploying applications in the cloud, as you move towards convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. For example, a continuous integration, continuous delivery (CI/CD) model leverages known good components as you update your applications. Being more secure in the cloud involves using these kinds of processes to become more disciplined about change management. There are a number of code assessment tools available that can be an integral part of the development process. These tools scan code for vulnerabilities during development and provide vulnerability notifications so that those things can be addressed before code goes to production. The entire DevOps process is become a code-based paradigm. It’s also a good practice to have pen testers periodically look at your applications and code from a hacker’s perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among the developers. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
11 “COMPLEMENTPLATFORMFEATURES ANDCAPABILITIESWITHTOOLS THATYOUCANINTEGRATEINTO THEENVIRONMENT.” Here are several things you can do to embed security practices into your cloud operations: n Take the time to architect out your solutions and ask tough questions about how to make them conform to your security framework and what risks you must address. It’s not easy to sit down with everybody in the room, but it is a necessary step. n Build a DevOps process that uses tools to scan code as you develop it. This should be an automated process that has to happen before code can be promoted. n Use the cloud provider’s platform to your advantage. Cloud platforms have a lot of security features and process-control functions that can make your cloud infrastructure more secure, if you use them. For instance, Amazon is constantly patching and updating operating system images. Their tools can tell you if operating system patches are relevant to the container configurations you are currently using. This streamlines your own configuration management and redeployment of fresh images. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
12 n Complement platform features and capabilities with tools that you can integrate into the environment. You might want to install your own monitoring or behavior-analytics tool, and integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are focusing on what is most critical to the business. n
13 “MAKING SECURITY AN INTEGRAL PARTOFYOURCLOUDOPERATIONS REQUIRES TIGHTLY MANAGED PROCESSES.” Making security an integral part of your cloud operations requires tightly managed processes. This begins with working closely with your security teams as you design your cloud infrastructure, build out your networks, and allocate available resources. This must all be done in compliance with security standards laid out by your security team. It requires managing the development process so that developers follow rules and practices that enforce security. This includes the tools you use, and an agile development process that might involve daily meetings in which developers can discuss how to build something in accordance with security guidelines. It can involve ticketing systems and collaboration tools that facilitate developers getting answers to business-risk questions that relate to the things they are being asked to build. And it requires maintaining discipline about the development process itself, such as using isolated network environments with strict naming conventions to separate development, staging, and production environments for your applications. The process for architecting and building cloud infrastructure needs to be well controlled from end to end. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
14 “WITHSOMUCHINTHEBUSINESS SUBJECTTOSECURITYRISK,EVERY PERSONHASASPECIFICROLETO PLAY.” With so many business operations happening in complex IT infrastructures, security is no longer the responsibility of only the security team or the compliance team. It must be baked in at the executive level and become a part of the business process. Most enterprise operations are driven by people, processes, and technology, and people are often stretched thin. With so much in the business subject to security risk, every person has a specific role to play. Everything needs to be risk driven. This means treating security and compliance risk as part of business risk. It also means talking about security in terms of business cases, which becomes the common language across the enterprise from the C-suite to business operations. Security frameworks and tools play an important role not only in securely managing IT infrastructures, but also in measuring and scoring risk in ways that make sense for business cases. In this way cybersecurity can become a key consideration in important business decisions. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
15 “BUILDING A SECURE, SCALABLE DEVELOPMENT PROCESS DEPENDS ON AUTOMATION TOOLS, BECAUSE ONE SECURITY ENGINEER CANNOT MANUALLY ASSESS ALL THE APPLICATIONS AND SERVICE INSTANCES…” The ultimate goal needs to be to build security into the development process and into the code itself. One way to move in this direction is to change the structure of development teams so that their work has more immediate feedback from customers and business leaders. For example, a typical large project might have 10 developers, a project manager, and a scrum master assigned to it. However, a different approach would be to build a team that consists of three or four developers doing the team coding, working in pairs to check for errors. There would be a systems engineer looking at customer requirements and breaking those down to actionable increments on a scrum board. There would also be a person responsible for the human-centric design, building wireframes before the coding Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
16 begins, and using those to get customer validation early in the development process. And of course the team would have its own security engineer overseeing security of the code, and a project manager over the group. This kind of a team, supported with the right tooling, would be a highly agile group designed to receive almost instantaneous feedback at every stage in the development cycle. Part of this process needs to include building in risk sign-off at the business leader or executive level. This would involve evaluating the product for vulnerabilities and risk, taking the finished product along with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final decision about operational risk a business decision, not a security-team decision. Building a secure, scalable development process depends on automation tools, because one security engineer cannot manually assess all the applications and service instances a team like this could build. And in a cloud environment, you could easily have many teams like this continuously creating new code. Eventually the goal will be to build security control into the code itself. Security management becomes a function built into the instantaneous-feedback loop developers use to advance their code incrementally. When security policy is built as code, then developers can just test against it. n
17 KEY POINTS Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical factors.
18 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Interested in more? Try Lacework for free and validate the security  of your cloud: TRY FOR FREE Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.

Recommandé

Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 

Recommandé

Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckAmazon Web Services
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataProcore Technologies
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of RiskProcore Technologies
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdftest888649
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsAlex Danvy
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)Maganathin Veeraragaloo
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidenceSean Dickson
 

Contenu connexe

Tendances

EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PiecePaul Richards
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewAllessandra Negri
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdftest888649
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Mighty Guides, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Project
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudSafeNet
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud securityDavid De Vos
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsAlex Danvy
 

Tendances (17)

Stay Ahead of Risk
Stay Ahead of RiskStay Ahead of Risk
Stay Ahead of Risk
 
EveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_PieceEveryCloud_Company_Intro_Piece
EveryCloud_Company_Intro_Piece
 
2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overview
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native Security
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
 
netskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdfnetskope-casb-for-microsoft-365.pdf
netskope-casb-for-microsoft-365.pdf
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
Carbon Black: 32 Security Experts on Changing Endpoint Security - Quotes from...
 
PRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by DesignPRISMACLOUD Cloud Security and Privacy by Design
PRISMACLOUD Cloud Security and Privacy by Design
 
ProtectV - Data Security for the Cloud
ProtectV - Data Security for the CloudProtectV - Data Security for the Cloud
ProtectV - Data Security for the Cloud
 
Cloud summit demystifying cloud security
Cloud summit demystifying cloud securityCloud summit demystifying cloud security
Cloud summit demystifying cloud security
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOpsTour de France Azure PaaS 5/7 Accélérer avec le DevOps
Tour de France Azure PaaS 5/7 Accélérer avec le DevOps
 
Cloud security (domain11 14)
Cloud security (domain11 14)Cloud security (domain11 14)
Cloud security (domain11 14)
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 

Similaire à Building Security Into Your Cloud IT Practices

Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidenceSean Dickson
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16Peak 10
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in DepthCIO Talk Network
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
Achieving Security and Compliance in DevOps Best Strategies.pdf
Achieving Security and Compliance in DevOps Best Strategies.pdfAchieving Security and Compliance in DevOps Best Strategies.pdf
Achieving Security and Compliance in DevOps Best Strategies.pdfUrolime Technologies
 
Overcoming Business Challenges with Azure
Overcoming Business Challenges with AzureOvercoming Business Challenges with Azure
Overcoming Business Challenges with Azurerun_frictionless
 

Similaire à Building Security Into Your Cloud IT Practices (20)

Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to Security
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
 
5 must haves - cloud confidence
5 must haves - cloud confidence5 must haves - cloud confidence
5 must haves - cloud confidence
 
10-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-1610-TOP-IT-INITIATIVES_6-6-16
10-TOP-IT-INITIATIVES_6-6-16
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
Azure Security.pdf
Azure Security.pdfAzure Security.pdf
Azure Security.pdf
 
Azure security
Azure securityAzure security
Azure security
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
Achieving Security and Compliance in DevOps Best Strategies.pdf
Achieving Security and Compliance in DevOps Best Strategies.pdfAchieving Security and Compliance in DevOps Best Strategies.pdf
Achieving Security and Compliance in DevOps Best Strategies.pdf
 
Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417Fy17 sec shadow_it-e_book_final_032417
Fy17 sec shadow_it-e_book_final_032417
 
Overcoming Business Challenges with Azure
Overcoming Business Challenges with AzureOvercoming Business Challenges with Azure
Overcoming Business Challenges with Azure
 

Plus de Mighty Guides, Inc.

7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for EndpointMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App DeliveryMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience Mighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Mighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field MarketingMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI Mighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROIMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationMighty Guides, Inc.
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageMighty Guides, Inc.
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationMighty Guides, Inc.
 
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the Experts
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the ExpertsKyriba: Taking Treasury From Reactive to Proactive- Quotes from the Experts
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the ExpertsMighty Guides, Inc.
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 

Plus de Mighty Guides, Inc. (20)

7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign Execution
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating Liquidity
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You How
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace Transformation
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital Transformation
 
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the Experts
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the ExpertsKyriba: Taking Treasury From Reactive to Proactive- Quotes from the Experts
Kyriba: Taking Treasury From Reactive to Proactive- Quotes from the Experts
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 

Dernier

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Dernier (20)

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Building Security Into Your Cloud IT Practices

  • 1. BUILDINGSECURITY INTOYOURCLOUDIT PRACTICES Expert advice on aligning security with DevOps. Sponsored by
  • 2. 2 INTRODUCTION In the real world of cloud infrastructure, much that happens is driven by business needs. Businesses face competitive pressures that require them to continually optimize customer experience, move quickly into new markets or release new products, and integrate their operations with those of partners, customers, or acquired businesses. This puts a lot of pressure on IT managers and developers. Coders are often incentivized to build fast, but not necessarily to build securely. At the same time, the risks of running vulnerable infrastructure are rising. How do IT professionals address the need to build it safer? To find out, we asked our security experts the following question: How can you make security an embedded discipline within your team? Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. © 2019 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com
  • 3. 3 FOREWORD Build Security Into Your DevOps Practices Use cases across the different types of companies that operate workloads in the cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility, and scale are cited as reasons why organizations decide to use the public cloud. However, the ability to move at the speed of today’s technology innovation comes out on top more often than not, time after time. Many organizations can get so focused on pushing product that security takes a backseat. The result is inadvertent vulnerabilities in the underlying infrastructure that get missed. When that happens, and it happens a lot, companies, products, and users are exposed. Speed tends to be the focus for DevOps, but to truly implement and manage DevOps effectively within an organization, it has to have a more comprehensive approach from day one. A framework needs to be created that certainly emphasizes speed and pushing product fast, but it has to also include a cultural and technical approach that combines DevOps and security. An effective cross- pollination of these will result in the kind of approach you’ll hear about in this book. The people who are finding smart ways to build security into DevOps are helping to ensure rapid business agility with the right approach to security. Lacework is a SaaS platform that automates threat defense, intrusion detection, and compliance for cloud workloads & containers. Lacework monitors all your critical assets in the cloud and automatically detects threats and anomalous activity so you can take action before your company is at risk. The result? Deeper security visibility and greater threat defense for your critical cloud workloads, containers, and IaaS accounts. Based in Mountain View, California, Lacework is a privately held company funded by Sutter Hill Ventures, Liberty Global Ventures, Spike Ventures, the Webb Investment Network (WIN), and AME Cloud Ventures. Find out more at www. lacework.com. Regards, Dan Hubbard Chief Product Officer
  • 4. 4 © 2019 Lacework, Inc. Lacework and Polygraph are registered trademarks of Lacework. All  other marks mentioned herein may be trademarks of their respective companies. Lacework  reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Get actionable recommendations on how to improve your security and compliance posture for your AWS, Azure, GCP, and private cloud environments. FREE ASSESSMENT Streamline security for AWS, Azure,  and GCP.  Gain unmatched visibility,  ensure compliance, and enable  actionable threat intelligence.
  • 5. 5 TABLE OF CONTENTS Kathrine Riley, Director of Information Security & Compliance Braintrace.......................................................... 11 Mauro Loda, Senior Security Architect McKesson.......................................................... 14 Paul Dackiewicz, Lead Security Consulting Engineer Advanced Network Management (ANM)..................................... 10 James P. Courtney, Certified Chief Information Security Officer Courtney Consultants, LLC......................... 06 Darrell Shack Cloud Engineer Cox Automotive Inc....................................... 13 Milinda Rambel Stone, Vice President & CISO Provation Medical.......................................... 08 Ross Young, Director Capital One........................................................ 15
  • 6. 6 “DEVELOPERS NEED TO UNDER- STAND SECURITY FROM THEIR OWN POINT OF VIEW, SO THEY CAN INTEGRATE SECURITY INTO THE COMPLETE SOFTWARE- DEVELOPMENT LIFE CYCLE.” Making security an essential part of your IT operations requires a disciplined approach to the development process, and that begins with teaching developers security awareness. Developers need to understand security from their own point of view, so they can see and integrate security into the complete software-development life cycle. They need to bring security awareness to the table when they are gathering project requirements, when they are planning their design, when they are building code and doing verification testing, and when they are deploying. This includes understanding the security scanning and checks that that are integrated into the pipeline as part of the development process, and making sure those things are done. The ultimate goal is to be in front of the security challenge rather than always having to play catch-up and repair vulnerabilities after deployment. James P. Courtney, Certified Chief Information Security Officer, Courtney Consultants, LLC James Courtney is a recognized cybersecurity professional who has spoken at multiple conferences, including the CyberMaryland Conference. He is a Certified Chief Information Security Officer (one of 1,172 in the world), serving as the IT network and operations security manager for a private SIP consulting firm in McLean, Virginia.
  • 7. 7 Tools built into the pipeline play an important part in enforcing security checks. How you use them becomes part of your change control management process and how you force checks and security sign-offs. Other security tools that monitor activity in the environment also help determine what is most critical. But education and culture within the organization are important too. For instance, if you determine you need to make an investment equal to 10% of your entire security budget to address a serious vulnerability in your operation, senior management needs to understand why, and they need to have a clear idea of the negative impact of not addressing that vulnerability. n
  • 8. 8 “YOU CAN FILTER DATA FROM YOUR SECURITY STACK AND BUILD IT OUT INTO A HEAT MAP THAT HELPS TRANSLATE WHERE YOU ARE INTO BUSINESS LANGUAGE.” There can be a lot of business and operational reasons for getting code out as fast as possible, and developers are subject to those pressures. But by nature, engineers want to do the right thing. The best way to build secure code is to give developers the tools and incentives to do the job, and make security fun. You need to build security in from an application-security perspective, run code scans from an application- security perspective on a regular basis, and have your teams compete. Gamification is a great way to make security part of the job and to make it one of the things that drive the whole process rather than being an afterthought. Getting security right first costs much less than fixing it after the fact. Milinda Rambel Stone, Vice President & CISO, Provation Medical Milinda Rambel Stone is an executive security leader with extensive experience in building and leading security programs, specializing in information-security governance, incident investigation and response, cloud security, security awareness, and risk-management compliance. As a former software engineer, Stone has passion and experience in building cloud security and DevSecOps environments. She currently practices this at Provation, where she is the vice president and chief information security officer (CISO).
  • 9. 9 As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t work, and it’s more fun to work collaboratively. Another important part of building security into your cloud operations is maintaining an overarching enterprise security scorecard. You can actually filter data from your security stack and build it out into a heat map that helps translate where you are into business language. The goal is to show the organization where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then you can begin having a business conversation about how you address these risks, which are all based on highly technical factors. n
  • 10. 10 “WHEN IT COMES TO DEPLOYING APPLICATIONS IN THE CLOUD, AS YOU MOVE TOWARDS CONVENIENCE, YOU LOSE SECURITY.” When it comes to deploying applications in the cloud, as you move towards convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. For example, a continuous integration, continuous delivery (CI/CD) model leverages known good components as you update your applications. Being more secure in the cloud involves using these kinds of processes to become more disciplined about change management. There are a number of code assessment tools available that can be an integral part of the development process. These tools scan code for vulnerabilities during development and provide vulnerability notifications so that those things can be addressed before code goes to production. The entire DevOps process is become a code-based paradigm. It’s also a good practice to have pen testers periodically look at your applications and code from a hacker’s perspective. Use the vulnerabilities they discover as an opportunity to raise awareness among the developers. n Paul Dackiewicz, Lead Security Consulting Engineer, Advanced Network Management (ANM) Paul Dackiewicz has over 10 years of systems engineering and cybersecurity experience in the fields of healthcare, government, and value- added resellers (VARs). He is currently leading the security operations center (SOC) for a premier managed security services provider (MSSP).
  • 11. 11 “COMPLEMENTPLATFORMFEATURES ANDCAPABILITIESWITHTOOLS THATYOUCANINTEGRATEINTO THEENVIRONMENT.” Here are several things you can do to embed security practices into your cloud operations: n Take the time to architect out your solutions and ask tough questions about how to make them conform to your security framework and what risks you must address. It’s not easy to sit down with everybody in the room, but it is a necessary step. n Build a DevOps process that uses tools to scan code as you develop it. This should be an automated process that has to happen before code can be promoted. n Use the cloud provider’s platform to your advantage. Cloud platforms have a lot of security features and process-control functions that can make your cloud infrastructure more secure, if you use them. For instance, Amazon is constantly patching and updating operating system images. Their tools can tell you if operating system patches are relevant to the container configurations you are currently using. This streamlines your own configuration management and redeployment of fresh images. Katherine Riley, Director of Information Security & Compliance, Braintrace Katherine (Kate) Riley is skilled in leading teams to define cloud architecture, and in development of controls. She has developed and implemented security frameworks such as ISO and NIST, and performed compliance reviews such as FFIEC, HIPAA, HITRUST, SOX, GDPR, and GLBA.
  • 12. 12 n Complement platform features and capabilities with tools that you can integrate into the environment. You might want to install your own monitoring or behavior-analytics tool, and integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are focusing on what is most critical to the business. n
  • 13. 13 “MAKING SECURITY AN INTEGRAL PARTOFYOURCLOUDOPERATIONS REQUIRES TIGHTLY MANAGED PROCESSES.” Making security an integral part of your cloud operations requires tightly managed processes. This begins with working closely with your security teams as you design your cloud infrastructure, build out your networks, and allocate available resources. This must all be done in compliance with security standards laid out by your security team. It requires managing the development process so that developers follow rules and practices that enforce security. This includes the tools you use, and an agile development process that might involve daily meetings in which developers can discuss how to build something in accordance with security guidelines. It can involve ticketing systems and collaboration tools that facilitate developers getting answers to business-risk questions that relate to the things they are being asked to build. And it requires maintaining discipline about the development process itself, such as using isolated network environments with strict naming conventions to separate development, staging, and production environments for your applications. The process for architecting and building cloud infrastructure needs to be well controlled from end to end. n Darrell Shack , Cloud Engineer, Cox Automotive Inc. Darrell Shack is a seasoned system engineer focused on building resilient and high--availability solutions. He has experience in developing solutions in the public cloud Amazon Web Services, helping teams manage their cost, and overall application performance in the cloud.
  • 14. 14 “WITHSOMUCHINTHEBUSINESS SUBJECTTOSECURITYRISK,EVERY PERSONHASASPECIFICROLETO PLAY.” With so many business operations happening in complex IT infrastructures, security is no longer the responsibility of only the security team or the compliance team. It must be baked in at the executive level and become a part of the business process. Most enterprise operations are driven by people, processes, and technology, and people are often stretched thin. With so much in the business subject to security risk, every person has a specific role to play. Everything needs to be risk driven. This means treating security and compliance risk as part of business risk. It also means talking about security in terms of business cases, which becomes the common language across the enterprise from the C-suite to business operations. Security frameworks and tools play an important role not only in securely managing IT infrastructures, but also in measuring and scoring risk in ways that make sense for business cases. In this way cybersecurity can become a key consideration in important business decisions. n Mauro Loda, Senior Security Architect, McKesson Mauro Loda is a passionate, data- driven cybersecurity professional who helped define and drive the “Cloud First” strategy and culture within a Fortune 100 multinational enterprise. He is a strong believer in offensive security and simple- but-effective architecture-defense topology. Emotional intelligence, pragmatism and reliability are his guiding principles. He has achieved numerous industry certifications and actively participates in forums, technology councils, and committees.
  • 15. 15 “BUILDING A SECURE, SCALABLE DEVELOPMENT PROCESS DEPENDS ON AUTOMATION TOOLS, BECAUSE ONE SECURITY ENGINEER CANNOT MANUALLY ASSESS ALL THE APPLICATIONS AND SERVICE INSTANCES…” The ultimate goal needs to be to build security into the development process and into the code itself. One way to move in this direction is to change the structure of development teams so that their work has more immediate feedback from customers and business leaders. For example, a typical large project might have 10 developers, a project manager, and a scrum master assigned to it. However, a different approach would be to build a team that consists of three or four developers doing the team coding, working in pairs to check for errors. There would be a systems engineer looking at customer requirements and breaking those down to actionable increments on a scrum board. There would also be a person responsible for the human-centric design, building wireframes before the coding Ross Young, Director, Capital One Ross Young is a veteran technologist, innovation expert, and transformational leader, having learned DevSecOps, IT infrastructure, and cybersecurity from a young age from both ninjas and pirates. Young currently teaches master-level classes in cybersecurity at Johns Hopkins University and is a director of information security at Capital One.
  • 16. 16 begins, and using those to get customer validation early in the development process. And of course the team would have its own security engineer overseeing security of the code, and a project manager over the group. This kind of a team, supported with the right tooling, would be a highly agile group designed to receive almost instantaneous feedback at every stage in the development cycle. Part of this process needs to include building in risk sign-off at the business leader or executive level. This would involve evaluating the product for vulnerabilities and risk, taking the finished product along with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final decision about operational risk a business decision, not a security-team decision. Building a secure, scalable development process depends on automation tools, because one security engineer cannot manually assess all the applications and service instances a team like this could build. And in a cloud environment, you could easily have many teams like this continuously creating new code. Eventually the goal will be to build security control into the code itself. Security management becomes a function built into the instantaneous-feedback loop developers use to advance their code incrementally. When security policy is built as code, then developers can just test against it. n
  • 17. 17 KEY POINTS Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to get missed. When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act. That said, there are tools and processes that can enforce more secure practices. A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical factors.