“It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.” — Charles Darwin

“DevOps is a set of practices that seeks to reduce the gap between software development and software operation.”

DevSecOps

DevSecOps is really about
  • automation - getting security into CI/CD pipeline.
  • monitoring -
    • tracking compliance across the multiple cloud accounts and providers.
    • metrics to better track our cloud security posture
Cloud Security Checklist
  • Directory service.
    If you use identity and access management, you need a directory to keep the identities. Although Microsoft’s Active Directory works just fine, any LDAP-compliant directory will work. Note that you need to deal with security at the directory level as well, so the directory itself does not become a vulnerability.
  • Identity and access management.
    IAM is needed to ensure that you can configure who is who, who is authenticated, and what devices, applications, or data they can access. This gives you complete control over who can do what, and it puts limits on what they can do. These IAM tools are either native to the public cloud platform or come from a third party.
  • Encryption services.
    What specific encryption you needwill largely depend on where you are in the world and the types of things you need to encrypt, as well as if you need to encrypt data at rest, in flight, or both. I say “services” (plural) because you’ll likely ise more than one encryption service, including at the file, database, and network levels.
  • Security ops.
    Often overlooked, this is the operational aspect of all of security. Security ops, aka secops, includes the ability to proactively monitor the security systems and subsystems to ensure that they are doing their jobs and that the security services are updated with the latest information they need to keep your system safe.
  • Compliance management.
    Another often overlooked security feature, this is where you deal with those pesky rules and regulations that affect security. No matter if you need to be GDPR-compliant or HIPAA-compliant, this is where you have a console that alerts you to things that may be out of compliance and lets you take corrective action.
References
How DevOps Can Save Security
Infoworld - Cloud security: The essential checklist
13 AWS IAM Best Practices for Security and Compliance
whats the fuss with compliance as code

Labels:

0 comments:

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)