At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?
At Xero, we take a customer-centric approach with our product teams. In preparing for my talk, I spoke with another Xero team member who shared his approach to security:
- If he needs to encrypt at rest, it should be easy.
- Self-service trumps having to request things from another team, which trumps having to raise a ticket. If it’s too hard, he would do it later.
- If he needs to patch his instances for vulnerabilities, it has to be easy.
Ultimately, what he wanted was a faster response, fewer tickets, and more enablement for him and his teams. As a principal engineer on one of our product teams, these were now key requirements that he expected my security team to deliver.
Attendees of my AWS Summit presentation went home with four key takeaways, and we will explore them in this post.
Here are the four guiding principles to govern your organization’s security policies:
- “Shared responsibility” includes your developers and security partners
- Operational visibility is required to embrace DevSecOps
- Flexible access management directly helps with the principle of least privilege
- Automated compliance (or “Compliance as Code”) is the next big challenge
Let’s drill down into each of these items.
Shared responsibility includes your developers and security partners
It is important to be aware of the shared responsibility model under which public cloud providers operate. This model clearly defines the responsibilities of each party when operating in the public cloud. However, from a practical viewpoint, this model has now been extended even further to include your security partners, who also take on some of the responsibility of safeguarding your digital assets by providing robust controls and visibility. Under DevSecOps, the responsibility is shared even further by entrusting developers to react to security visibility information and to not undermine established security controls.
Within Xero, shared responsibility is a commitment and agreement between our developers, security partners, the public cloud provider itself, and the security team. Increasingly, the security team is not only just the gatekeeper but also the glue that drives and facilitates this extended shared responsibility model between all of these parties.
Operational visibility is required to embrace DevSecOps
When I first deployed security systems into the public cloud more than four years ago, I believed they would largely operate in a similar way to traditional on-premises equivalents. I quickly learned that first I had to understand the different ways these systems would operate.
It is important to make operational visibility design criteria for security implementations. Use systems that provide meaningful real-time alerts, detailed metrics, and powerful dashboards. This way, you can change the mindset of your developers by providing them access to these tools and truly building on the principle that “security is everyone’s responsibility.”
Our site reliability team often uses the phrase, “if you don’t put a metric on it, how do you know what is ‘normal’?” The key takeaway here is that measuring and monitoring everything is critical, especially when building out a new environment in the public cloud.
Flexible access management directly helps with the principle of least privilege
The traditional approach to access control is to implement human gatekeepers tasked with the responsibility of providing access to systems as requested. At face value, this approach makes sense, but it starts to break down when:
- The process is too cumbersome, leading to a greater amount of access being requested “just in case.” The gate is essentially just left open.
- Gatekeepers do not understand what they’re protecting, leading to the wrong people getting access and defeating the point of security in the process.
- The logical divide between resource owners and gatekeepers prevents auditing of access.
Today, development teams work quickly and dynamically. Your security processes need to align with this approach or you are at risk of seeing them become redundant. However, this new, highly dynamic nature can be leveraged to benefit security, particularly around adherence to the “least privilege” principle.
At Xero, identity and access requests once came through in the form of tickets; resolving these was often a manual and time-consuming task. In response, our Identity and Access team developed an internal system called PACMAN to enable our product teams to self-serve their identity and access needs. To make it even easier, we made PACMAN accessible via internal tools, including our intranet and Slack channels.
Via PACMAN, our product teams can query the status of their identities within the Xero ecosystem, reset their passwords for all of these identities, and request access to additional AWS accounts. Access is provided as and when it is needed, and administered by those who own the resources rather than by standalone gatekeepers.
Automated compliance is the next big challenge
Many organizations are subject to compliance obligations such as the European Union’s General Data Protection Regulation (GDPR), the information security standard ISO/IEC 27001, Service Organization Control (SOC 2) reporting standard for data in the cloud, and Payment Card Industry Data Security Standard (PCI-DSS). This is challenging when operating many thousands of computing instances and data stores held in hundreds of accounts within the public cloud. This is where manual approaches to compliance start to break down, much in the same way that manual administration in the cloud does.
The answer is to treat policy compliance as a form of automation in itself. A practical example is to conduct real-time conformity scanning against the Center for Internet Security (CIS) cloud benchmarks instead of performing manual checks or using spreadsheets. CIS baseline scanning can be completed using a variety of available tools, with results communicated directly to product teams who own the affected systems.
This enables Risk and Compliance teams to easily demonstrate that policies are adhered to, and they have the ability to generate such reports at-will. In this age where “everything is code,” compliance is no exception.
So, what did I learn?
Making security components available to developers and engineers can be the biggest positive influence on an organization’s security culture. To be successful in doing this, a security team needs to quickly evolve to become just as agile as the product teams around them. This includes operating based on core principles and communicating effectively and often.
Security visibility and enablement improves awareness and ownership across an entire organization, reinforcing the message that security is everyone’s responsibility. Foster a solid security culture and formally distribute security responsibility to other teams within your organization.
Founded in 2006 in New Zealand, Xero is one of the fastest growing software-as-a-service companies globally, leading the New Zealand, Australian, and United Kingdom cloud accounting markets, employing a world-class team of more than 2,000 people. Forbes identified Xero as the World’s Most Innovative Growth Company in 2014 and 2015.
To learn more about making security tangible, watch our webinar on-demand.