Continuous processes can complicate security, but also provide an answer

While cloud computing has promised to simplify the management of business-technology systems, it hasn’t exactly turned into a net simplification when it comes to security. Sure, cloud infrastructure platforms remove the complexity of having to secure the underlying infrastructure, and software-as-a-service and platform-as-a-service providers simplify many aspects of application security.

These platforms are cost effective and easy to install, which has led to a dramatic increase in the consumption of cloud applications and the dissemination of data outside of the enterprise. It has also disassembled the centralized control of application and computing that IT once enjoyed.

On the upside, cloud has helped usher in new ways enterprises release applications into production. When it comes to applications developed in-house, cloud (and associated development and deployment tools) has played a big role as a catalyst for the DevOps movement and made continuous integration and continuous delivery possible. Continuous integration and continuous delivery have shattered traditional waterfall development in most enterprises and have accelerated application deployment to speeds security testing teams previously wouldn’t have believed possible.

With security complexity rising, how can enterprises make themselves more resilient? By leveraging the same technologies – cloud and continuous assessment to make security just as agile as the rest of the environment.

The first step: optimize the environment being secured with tools that are native to that specific environment. For instance, cloud environments need cloud security: not some monstrosity held together by bailing wire that runs cloud traffic back through on-premises systems.

As more apps and IT resources are cloud-based, on-premises security servers and appliances need to be set aside, unless they are necessary for specific tasks. These approaches just aren’t working in today’s environments. They are not agile enough and not extensible enough.

With cloud tools in place, for everything from vulnerability and configuration assessments through to identity management, enterprises can more easily move from periodic, occasional security and compliance monitoring to continuous security and compliance monitoring. And the environment will go a long way to becoming much more resilient.

For those just getting started adding continuous security monitoring to their organizations, an ideal place to start is where adversaries would start. This could be important apps, servers, or databases that hold valuable client information, medical or financial information, or intellectual property. It all depends on the kind of business. Pick the most valuable data and systems to the business – or what would be valuable to potential attackers — and start to look for ways to continuously monitor and assess these systems.

If you aren’t sure what systems these may be and how to prioritize, start working closely with compliance and operations teams, application owners and security teams. Get their advice and help. This way you will best identify the most critical and valuable systems and data to target with your continuous monitoring efforts.

When it comes to those continuous delivery pipelines, application security needs to be embedded into the development process with continuous functional security tests, vulnerability tests, and tests on the application logic. And, as noted, the production environment needs to be continuously monitored for vulnerabilities that may slip through testing or are created through misconfigurations.

While cloud computing may not have brought the age of simplified enterprise computing many hoped for, at least when it comes to security and enterprise-wide manageability, the good news is that, if the same tools and continuous processes are put to work when it comes to security, it becomes much more straightforward for enterprises to keep their systems secure and resilient.