Sane Security Practices
Disclaimer: My views are my own, unrelated to my past present or future employer.
For the longest time IT systems have remained secure in datacenters ,with secure network devices, physical security and firewalls. I have worked in datacenter in the era where cloud was just starting up and nobody really seemed interested in cloud those days. The access to these systems was either from within LAN network and sometimes even had to work from server console inside the really cold server room. Imagining those days in the era of covid makes me wonder, what would we have done if we had no cloud. Imagine the disruption caused by that. Its unimaginable the scale of shutdown it would have caused, as everything from hospitals to insurance providers to transport to pharma depends on these.
The new buzz word all around is cybersecurity. In the past year most cloud providers like Azure, AWS, GCP ,Oracle etc have released and invested massively on security. From releasing features for compliance, to building dashboard for a clear view. Its been a huge improvement overall. From releasing blueprints which help build secure systems, to policies and tools to identify issues in the systems , to actually notify in case of real threats. While these tools existed in past , never were they as robust as they are now.
One consistent issue with most projects is that there is very less focus on security at early stages. I am not trying to generalize , but based on my observation in last few years, The focus is to lift and shift or just keep it running as how it was on private cloud. Public cloud is whole new ball game, there is identity security which is paramount. We all know least privilege's have to be assigned but that again is not focus area in early stages . Lets just install a server and just move all data, if its open to the internet then lets focus on that later. Even having worked with some vendor, i realized their sole focus was to spin up resources and just get it working. There were even few cases where pen testing reports had test data and not really been tested and these are tools which were selling saas security products. Imagine using them to secure your systems. This is true story btw , though i leave it upto the reader to discover this someday when there is a breach.
This gets you to question on how to build system designs ? I have some interest in system design after watching some interesting videos. When i try looking up few case studies, most people never focused on security in system design stage . It seemed like something to add on later after you have everything up and running. Then how do we build secure systems? How do our developers build security in systems than add security to systems??
As i stated earlier, system design needs to have security at the early stages , as its easier and less cost intensive in future if systems are built securely . Again , with recent shift to move everything asap to cloud and lets build cloud native systems later, i see systems which are out there dangling insecurely on the cloud. There are tools which makes this simpler at early stages, than breaking systems to secure later.
So, if you did not or could not focus at early stage then we get to a stage where it needs to be done post go live or even at early dev stages. With so many cloud native tools, vendor tools out there it difficult to choose. Many a times there are cloud native tools with no additional cost, there are even open sources which help do this. So identify the one which fulfils yours needs. Break it down per cloud provider, identify technology which works for all workloads and clouds. There is a lot of duplication in tooling which makes security expensive, which again leads to not so great “cost based security” decisions.
Too much focus on methods:
There seem to be a rush all around to adopt all types of methodologies which might not work for security practices. There needs a clear consideration on what works and what does not. We sometimes need to tweak process to save time and cost. The strict adhering to processes which just implicates on time makes security complicated. In turn it creates an all round culture of bypassing secure processes as the process to get secure itself is more complicated. Too much paper work, too many meetings, too many chaotic tools, too many reports all make it impracticable.
Decouple complicated processes:
Key to getting things in line is to make fixing things easier. Have a step by step approach to security and engineering working side by side. Most times the mind set shift is needed, where we need to build mindset at base level. A VP cannot fix a server or database open to internet. While he/she can make policies around it, there still is that engineer who need to understand the implication of such a violation. Make it matter to everyone, make a criteria for team success. Else, it will continue to be difficult to manage process.