In my Cloud Native Security postings I put on my CISO hat and discuss how cloud-native improves your security posture. In this post I discuss how cloud-native enables us to get past all the non-differentiating security tasks and on to the tasks where you are the security expert. You are the expert of your business domain and you need to focus your security efforts on maintaining your users’ privacy.
Throughout my posts I discuss how cloud-native enables companies to be lean and deliver business value continuously. Yet, security tends to be an opposing force that slows us down. When push comes to shove it is not uncommon for security to get the short end of the stick. This is where the cloud’s shared responsibility model comes to the rescue. The shared responsibility model essential draws a line across the technology stack where the cloud provider is responsible for the security below that line and you are responsible for the security above that line. Where that line is drawn depends on what cloud services you are using. The serverless-first approach raises that line higher then any other approach because of the extent that it relies on using fully managed cloud services. Thus serverless-first handles most of the non-differentiating tasks so you can focus you security energies on your business domain.
Next we need to put a safety net in place so that teams can focus on their domain with confidence that the security basics are covered. Security governance and auditing must be completely automated and continuous. They cannot be a bottleneck. Security tests must be a part of the continuous deployment pipelines so that we assert security policies before pushing changes to production. Cloud security services must be setup to continuously assert that the system is still following your security policies in production. We then leverage the very high observability of our cloud-native system and continuously monitor and alert on its status. When a security problem is identified we capitalize on the speed of our continuous deployment practices to minimize the time to recovery. And of course, security is everyone’s responsibility so we must mentor and empower the self-sufficient full-stack teams that own the services.
But to err is human. I continually focus (such as here and here) on how we must put bulkheads in place to minimize the blast radius when mistakes are made. When a security mistake is made the impact falls on your data. It is the data that leaks. Your users’ data is the prize. Unless you have taken measures to ensure the privacy of your data in the case of a breach. Yes, the bulkhead I am referring to here is encryption at rest. But just flipping the switch on your databases or storage drives to turn on encryption is not enough. That only ensures that the data is encrypted when the hardware is stolen, not when it is improperly accessed by a hacker through an accidental security hole.
This is why I advocate for application level envelope encryption using the cloud provider’s encryption service. It is actually straight forward to implement. I have previously provided examples here and here. This is where you need to focus your efforts. It is your business domain, you are the expert. You know the value of your data and which elements must remain private. All the non-differentiating efforts above are just the first line of defense. Mistakes will be made, your security perimeter will eventually be breached. But you got past the basics and secured your data, so when it leaks it will be redacted.
Stop treading water below the serverless shared responsibility line. Trust but verify with automated governance. Focus on securing your domain. Delegate everything else.