Security By Design?

With the cloud adoption, the security needs to be rethought and the approach needs a fresh look. The traditional approach to the security is restrictive and control driven. With cloud in the center the agility and speed are key drivers for the adoption. The security needs to be integrated right from the development & programming process, with DevOps pipeline and automated surveillance. This has led to Security by Design.

Security by design is an approach to build the application and systems which have one of the key design parameters as security. This approach is opposite to the working in the environment where security is audit driven and afterthought. Security by design is an approach where you consider that malicious practice is expected to happen, design should be such that it has minimal impact due to any of such security attack or malicious activity. The design of any system or application should consider graceful handling of such malicious acts /events by following approach. 

  • Build a zero-trust approach, privileges and access should be highly classified
  • Anticipate security vulnerabilities and discover security vulnerabilities as you develop code
  • Real time Logging and Monitor the systems
  • Control Vs Surveillance – Build system which provides real-time security audit control

Security by design is achieved in 4 phases

Phase 1: Requirements definition and security outline:

Security requirements depend on the criticality of the system and the level of security required. The security enablement is taxing and complex, this needs additional layers of engineering, it becomes important to define the level of security required. The security control matrix should be well defined to make sure we have the requirement definition broken down into different controls. The security standards also help to build the control matrix required for the different IT systems.

Phase 2: Build DevOps pipeline with automated security validations and verification:

The security needs to be integrated in the coding practices and the validation needs to be part of the build and deployment process integrated into the DevOps pipeline. This helps in identifying the security loopholes at the coding level, making sure the system is secure to handle the code level malicious attacks. Defining the right tool chain for DevOps pipeline, which has built-in security level code validations is required. This also helps in the making sure that the code quality is high through the development life cycle.

Phase 3: Identify the tools for different layers of security:

Security needs different layers to make sure IT system is secure. These layers can be divided into the following areas

  • Infrastructure
  • Network
  • Operating system
  • Code and Data layer

We need to identify the requirement of the security systems at all the levels and build automated tool chain to handle different layers.

Phase 4: Setup Real-time security audit controls:

The continuous audit and compliance are key metrics to measure the security of IT systems. In the dynamic cloud environment need to real-time compliance audit and reporting. This makes sure the systems are secure as per the control requirements. This is achieved by building automated governance systems for controls to be audited in the real-time.

Cloudlytics – SaaS based tools, cloud security and automated audit compliance.

Cloudlytics has been built by keeping in mind the requirement of phase 3 and phase 4 mentioned above. Cloudlytics helps with automated real-time governance and audit controls. It has building blocks for the strong real-time monitoring of the cloud environments.

Cloudlytics provides per-packaged automated real-time audit compliance to industry standards on Cloud such as PCI, HIPPA, GDPR, MAS, ISO and others.

Future of security by design:

With the development in the field of Machine Learning (ML) the automated validation and verification will be done to extend to self-healing systems. The compliance and automated audit will automate the self-control needs and build on the control requirement. This will help in defining the controls as and when new vulnerabilities are identified. Machine Learning and advance analytics will chance the security landscape completely.

Share this post

ABOUT THE AUTHOR

Veeraj Thaploo

Veeraj Thaploo

Veeraj Thaploo is the co-founder & CTO at Blazeclan and Director at Cloudlytics. Veeraj is renowned for his expertise with cloud, automation, and analytics solutions. Over the last 15 years, he has been instrumental in delivering transformative cloud migration solutions for businesses across the globe. At Cloudlytics, he spearheads the product architecture that helps businesses secure their cloud assets.

TOP STORIES

Automating the Well-Architected Review Process

September 20, 2022

Achieving a Well-Architected SaaS Platform

September 17, 2022

A Dive Into AWS Well-Architected Framework For Financial Services

September 15, 2022

AWS Well-Architected Framework – Updated Checklist

September 12, 2022

Reflecting on Top Myths Around Cloud Infrastructure Security

June 28, 2022

Major Security Benefits of Cloud Computing

June 24, 2022

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!