At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?
At Xero, we take a customer-centric approach with our product teams. In preparing for my talk, I spoke with another Xero team member who shared his approach to security:
- If he needs to encrypt at rest, it should be easy.
- Self-service trumps having to request things from another team, which trumps having to raise a ticket. If it’s too hard, he would do it later.
- If he needs to patch his instances for vulnerabilities, it has to be easy.
Ultimately, what he wanted was a faster response, fewer tickets, and more enablement for him and his teams. As a principal engineer on one of our product teams, these were now key requirements that he expected my security team to deliver.
Attendees of my AWS Summit presentation went home with four key takeaways, and we will explore them in this post.
Here are the four guiding principles to govern your organization’s security policies:
- “Shared responsibility” includes your developers and security partners
- Operational visibility is required to embrace DevSecOps
- Flexible access management directly helps with the principle of least privilege
- Automated compliance (or “Compliance as Code”) is the next big challenge
Let’s drill down into each of these items.
Shared responsibility includes your developers and security partners
It is important to be aware of the shared responsibility model under which public cloud providers operate. This model clearly defines the responsibilities of each party when operating in the public cloud. However, from a practical viewpoint, this model has now been extended even further to include your security partners, who also take on some of the responsibility of safeguarding your digital assets by providing robust controls and visibility. Under DevSecOps, the responsibility is shared even further by entrusting developers to react to security visibility information and to not undermine established security controls.
Within Xero, shared responsibility is a commitment and agreement between our developers, security partners, the public cloud provider itself, and the security team. Increasingly, the security team is not only just the gatekeeper but also the glue that drives and facilitates this extended shared responsibility model between all of these parties.
Operational visibility is required to embrace DevSecOps
When I first deployed security systems into the public cloud more than four years ago, I believed they would largely operate in a similar way to traditional on-premises equivalents. I quickly learned that first I had to understand the different ways these systems would operate.
It is important to make operational visibility design criteria for security implementations. Use systems that provide meaningful real-time alerts, detailed metrics, and powerful dashboards. This way, you can change the mindset of your developers by providing them access to these tools and truly building on the principle that “security is everyone’s responsibility.”
Our site reliability team often uses the phrase, “if you don’t put a metric on it, how do you know what is ‘normal’?” The key takeaway here is that measuring and monitoring everything is critical, especially when building out a new environment in the public cloud.
Flexible access management directly helps with the principle of least privilege
The traditional approach to access control is to implement human gatekeepers tasked with the responsibility of providing access to systems as requested. At face value, this approach makes sense, but it starts to break down when:
- The process is too cumbersome, leading to a greater amount of access being requested “just in case.” The gate is essentially just left open.
- Gatekeepers do not understand what they’re protecting, leading to the wrong people getting access and defeating the point of security in the process.
- The logical divide between resource owners and gatekeepers prevents auditing of access.
Today, development teams work quickly and dynamically. Your security processes need to align with this approach or you are at risk of seeing them become redundant. However, this new, highly dynamic nature can be leveraged to benefit security, particularly around adherence to the “least privilege” principle.
At Xero, identity and access requests once came through in the form of tickets; resolving these was often a manual and time-consuming task. In response, our Identity and Access team developed an internal system called PACMAN to enable our product teams to self-serve their identity and access needs. To make it even easier, we made PACMAN accessible via internal tools, including our intranet and Slack channels.
Via PACMAN, our product teams can query the status of their identities within the Xero ecosystem, reset their passwords for all of these identities, and request access to additional AWS accounts. Access is provided as and when it is needed, and administered by those who own the resources rather than by standalone gatekeepers.
Automated compliance is the next big challenge
Many organizations are subject to compliance obligations such as the European Union’s General Data Protection Regulation (GDPR), the information security standard ISO/IEC 27001, Service Organization Control (SOC 2) reporting standard for data in the cloud, and Payment Card Industry Data Security Standard (PCI-DSS). This is challenging when operating many thousands of computing instances and data stores held in hundreds of accounts within the public cloud. This is where manual approaches to compliance start to break down, much in the same way that manual administration in the cloud does.
The answer is to treat policy compliance as a form of automation in itself. A practical example is to conduct real-time conformity scanning against the Center for Internet Security (CIS) cloud benchmarks instead of performing manual checks or using spreadsheets. CIS baseline scanning can be completed using a variety of available tools, with results communicated directly to product teams who own the affected systems.
This enables Risk and Compliance teams to easily demonstrate that policies are adhered to, and they have the ability to generate such reports at-will. In this age where “everything is code,” compliance is no exception.
So, what did I learn?
Making security components available to developers and engineers can be the biggest positive influence on an organization’s security culture. To be successful in doing this, a security team needs to quickly evolve to become just as agile as the product teams around them. This includes operating based on core principles and communicating effectively and often.
Security visibility and enablement improves awareness and ownership across an entire organization, reinforcing the message that security is everyone’s responsibility. Foster a solid security culture and formally distribute security responsibility to other teams within your organization.
Founded in 2006 in New Zealand, Xero is one of the fastest growing software-as-a-service companies globally, leading the New Zealand, Australian, and United Kingdom cloud accounting markets, employing a world-class team of more than 2,000 people. Forbes identified Xero as the World’s Most Innovative Growth Company in 2014 and 2015.
To learn more about making security tangible, watch our webinar on-demand.
New Content: Platforms, Programming, and DevOps – Something for Everyone
This month our team of expert certification specialists released three new or updated learning paths, 16 courses, 13 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon....
Cloud Academy’s AWS re:Invent 2020 Recap & Highlights
Now that the dust has settled on re:Invent 2020 — probably the most uniquely delivered AWS conference ever — we think it’s high time we get you a healthy recap of the top highlights from the three weeks. After all, no one’s really asking people to pay attention to every technologica...
Docker Image Security: Get it in Your Sights
For organizations and individuals alike, the adoption of Docker is increasing exponentially with no signs of slowing down. Why is this? Because Docker provides a whole host of features that make it easy to create, deploy, and manage your applications. This useful technology is especiall...
VPN Encryption: How to Find the Best Solution
Each day there are 2.5 quintillion bytes of data created. People in all corners of the earth use the internet all day, every day. When we browse social media, conduct transactions, and search the web, we're leaving behind a digital footprint. Encryption helps you protect the data yo...
Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More
This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...
6 Ways to Prevent a Data Breach
The cloud is a new territory for the digital world. But with all of its benefits, there also come risks and dangers. If your business depends on the cloud to store data, you’re probably facing a number of problems about how to best secure your data. According to studies, as many as 95 p...
Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More
Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...
OWASP Top 10 Vulnerabilities
Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Curr...
Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More
New articles by topic AWS Azure Data Science Google Cloud Cloud Adoption Platform Updates & New Content Security Women in Tech AWS Breaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...
8 Ways to Protect Your Data From a Ransomware Attack
Ransomware attacks have continued to grow both in scope and audacity over the past several years. This type of malware has become one of the biggest cybersecurity threats for enterprises, and experts predict the situation is only going to get worse. The WannaCry ransomware incident o...
Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more
With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...
Azure Security: Best Practices You Need to Know
When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the...