Skip to main content

Build a Security Culture Within Your Organization

At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?

At Xero, we take a customer-centric approach with our product teams. In preparing for my talk, I spoke with another Xero team member who shared his approach to security:

  • If he needs to encrypt at rest, it should be easy.
  • Self-service trumps having to request things from another team, which trumps having to raise a ticket. If it’s too hard, he would do it later.
  • If he needs to patch his instances for vulnerabilities, it has to be easy.

Ultimately, what he wanted was a faster response, fewer tickets, and more enablement for him and his teams. As a principal engineer on one of our product teams, these were now key requirements that he expected my security team to deliver.

Attendees of my AWS Summit presentation went home with four key takeaways, and we will explore them in this post.

Here are the four guiding principles to govern your organization’s security policies:

  1. “Shared responsibility” includes your developers and security partners
  2. Operational visibility is required to embrace DevSecOps
  3. Flexible access management directly helps with the principle of least privilege
  4. Automated compliance (or “Compliance as Code”) is the next big challenge

Let’s drill down into each of these items.

Shared responsibility includes your developers and security partners

It is important to be aware of the shared responsibility model under which public cloud providers operate. This model clearly defines the responsibilities of each party when operating in the public cloud. However, from a practical viewpoint, this model has now been extended even further to include your security partners, who also take on some of the responsibility of safeguarding your digital assets by providing robust controls and visibility. Under DevSecOps, the responsibility is shared even further by entrusting developers to react to security visibility information and to not undermine established security controls.

Within Xero, shared responsibility is a commitment and agreement between our developers, security partners, the public cloud provider itself, and the security team. Increasingly, the security team is not only just the gatekeeper but also the glue that drives and facilitates this extended shared responsibility model between all of these parties.

Operational visibility is required to embrace DevSecOps

When I first deployed security systems into the public cloud more than four years ago, I believed they would largely operate in a similar way to traditional on-premises equivalents. I quickly learned that first I had to understand the different ways these systems would operate.

It is important to make operational visibility a design criteria for security implementations. Use systems that provide meaningful real-time alerts, detailed metrics, and powerful dashboards. This way, you can change the mindset of your developers by providing them access to these tools and truly building on the principle that “security is everyone’s responsibility.”

Our site reliability team often uses the phrase, “if you don’t put a metric on it, how do you know what is ‘normal’?” The key takeaway here is that measuring and monitoring everything is critical, especially when building out a new environment in the public cloud.

Flexible access management directly helps with the principle of least privilege

The traditional approach to access control is to implement human gatekeepers tasked with the responsibility of providing access to systems as requested. At face-value, this approach makes sense, but it starts to break down when:

  • The process is too cumbersome, leading to a greater amount of access being requested “just in case.” The gate is essentially just left open.
  • Gatekeepers do not understand what they’re protecting, leading to the wrong people getting access and defeating the point of security in the process.
  • The logical divide between resource owners and gatekeepers prevents auditing of access.

Today, development teams work quickly and dynamically. Your security processes need to align with this approach or you are at risk of seeing them become redundant. However, this new, highly dynamic nature can be leveraged to benefit security, particularly around adherence to the “least privilege” principle.

At Xero, identity and access requests once came through in the form of tickets; resolving these was often a manual and time-consuming task. In response, our Identity and Access team developed an internal system called PACMAN to enable our product teams to self-serve their identity and access needs. To make it even easier, we made PACMAN accessible via internal tools, including our intranet and Slack channels.

Via PACMAN, our product teams can query the status of their identities within the Xero ecosystem, reset their passwords for all of these identities, and request access to additional AWS accounts. Access is provided as and when it is needed, and administered by those who own the resources rather than by standalone gatekeepers.

Automated compliance is the next big challenge

Many organizations are subject to compliance obligations such as the European Union’s General Data Protection Regulation (GDPR), the information security standard ISO/IEC 27001, Service Organization Control (SOC 2) reporting standard for data in the cloud, and Payment Card Industry Data Security Standard (PCI-DSS). This is challenging when operating many thousands of computing instances and data stores held in hundreds of accounts within the public cloud. This is where manual approaches to compliance start to break down, much in the same way that manual administration in the cloud does.

The answer is to treat policy compliance as a form of automation in itself. A practical example is to conduct real-time conformity scanning against the Center for Internet Security (CIS) cloud benchmarks instead of performing manual checks or using spreadsheets. CIS baseline scanning can be completed using a variety of available tools, with results communicated directly to product teams who own the affected systems.

This enables Risk and Compliance teams to easily demonstrate that policies are adhered to, and they have the ability to generate such reports at-will. In this age where “everything is code,” compliance is no exception.

So, what did I learn?

Making security components available to developers and engineers can be the biggest positive influence on an organization’s security culture. To be successful in doing this, a security team needs to quickly evolve to become just as agile as the product teams around them. This includes operating based on core principles and communicating effectively and often.

Security visibility and enablement improves awareness and ownership across an entire organization, reinforcing the message that security is everyone’s responsibility. Foster a solid security culture and formally distribute security responsibility to other teams within your organization.

Founded in 2006 in New Zealand, Xero is one of the fastest growing software as a service companies globally, leading the New Zealand, Australian, and United Kingdom cloud accounting markets, employing a world-class team of more than 2,000 people. Forbes identified Xero as the World’s Most Innovative Growth Company in 2014 and 2015.

To learn more about making security tangible, join us for a live session on the Shared Responsibility Model: Best Practices for Building a Culture of Security on August 16th at 1 pm (PT).

Security is a Journey - Building a Culture of Security

Aaron McKeown

Written by

Aaron McKeown is the Head of Security Engineering and Architecture at Xero, a cloud-based accounting software company with 1,400,000+ subscribers. Aaron is driving the Xero Cloud Security strategy and is responsible for the implementation and management of technical security on the Xero hosting platform inside Amazon Web Services. Aaron has more than 20 years experience in the architecture and management of complex solutions within the utilities and software industries.

Related Posts

— November 29, 2018

New Security & Compliance Service: AWS Security Hub

This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage.  One service that jumped out to me was the AWS Security Hub, currently...

Read more
  • Amazon Web Services
  • re:Invent 2018
  • Security
Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
John Visneski
— October 2, 2018

Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. To register for Mr. Visneski's Cloud Academy webinar, click here. The reasoning behind the popularity of this perspective is clear, if not unique to the cybersecurity field. Organizations in both the...

Read more
  • Security
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

The credibility of Microsoft Azure continues to grow in the first quarter of 2018 with an increasing number of enterprises migrating their workloads, resulting in a jump for Azure from 10% to 13% in market share. Most organizations will find that simply “lifting and shifting” applicatio...

Read more
  • Azure
  • Compute
  • Database
  • Security
— May 17, 2018

4 Best Practices to Get Your Cloud Deployments GDPR Ready

With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more ...

Read more
  • GDPR
  • Security
— May 7, 2018

AWS Summit London 2018: Our Top Picks

Cloud Academy is proud to be a sponsor of AWS Summit London coming up May 9-10 at the ICC, ExCeL, London.Join us in booth S24, Level 1 where our AWS experts will be on hand to answer your questions and walk you through our latest content and newest platform features.Book a meeting w...

Read more
  • AWS Summits
  • GDPR
  • Security
— March 26, 2018

GDPR Compliance: Low Cost, Zero-Friction Action Items

George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic....

Read more
  • GDPR
  • Security
— March 9, 2018

New on Cloud Academy, March ’18: Machine Learning on AWS and Azure, Docker in Depth, and more

Introduction to Machine Learning on AWSThis is your quick-start guide for building and deploying with Amazon Machine Learning. By the end of this learning path, you will be able to apply supervised and unsupervised learning, ML algorithms, deep learning, and deep neural networks on AW...

Read more
  • Cloud Migration
  • Docker
  • Machine Learning & AI
  • Security
— March 2, 2018

Three Must-Use Azure Security Services

Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.The safety of your cloud environment—and the data and applications that your business runs on—depends on how well you...

Read more
  • Azure
  • Security
— February 9, 2018

4 Practices that Should Be Driving Your Security Strategy in 2018

Securing your data and applications in the cloud has never been more important.The headlines are a constant reminder of the disruptive (or calamitous) impact on a business in the wake of a breach. Many of 2017’s most high-profile breaches were a reminder of the vulnerabilities that ca...

Read more
  • Security