The security policy as code imperative for cloud security

How can we provide a jump start for DevOps professionals to build and maintain secure applications?

Sai Gadia

Sai Gadia

Partner, KPMG LLP

+1 612-305-5087

The security policy as code imperative for cloud security

According to the 2021 KPMG U.S. CEO Outlook survey, 81% CEOs are confident in the growth prospects of their company, at the same time, they foresee cyber security risk as one of the top 3 threats to their organizations' growth. As a result, compared to a year ago, in 2021, CEOs said they plan to invest more in data security technologies. It’s a well-established fact that cyber security is one of the top concerns that may be slowing down digital transformation.

Companies are undergoing rapid digital transformation and their dependency on software has increased. According to KPMG’s 2021 Harvey Nash CIO survey, almost half of the respondents said that the pandemic has permanently accelerated digital transformation.

Companies are not only moving towards modern cloud technologies but also adopting modern software delivery techniques. In essence, organizations are transforming themselves rapidly on many different fronts. Technology is the key enabler; however, it is also introducing a vastly increased attack surface. Therefore, it is no surprise that security and privacy is an important investment in the new reality. Intelligent automation overall is a top-5 area of investment and we forsee that implies automation in the security space as well. One such area is Infrastructure as code (IaC) that helps you build cloud infrastructure that is not only compute resources, but also storage, networking, and security resources. IaC also provides a one of a kind opportunity for consistency in security automation since this is an area where organizations have historically had either not enough security, or too many windows to watch and too many alerts to analyze leading to alert fatigue.

In recognition of potential configuration issues with cloud environment and underlying resources, cloud security posture management (CSPM) tools are becoming commonplace. However, CSPM is a reactive measure and one of the detective control mechanisms. The better option is to prevent security issues from creeping into IaC by scanning it for potential misconfigurations, and then layering on CSPM as a monitoring mechanism for runtime issues.

The question remains: While there are plenty of security tools and open-source repositories, how can we provide a jump start for DevOps professionals to build and maintain secure applications? The answer lies in a KPMG security policy as code (SPaC) solution. It consists of the following accelerators:

  1. Security organization transformation strategy including interaction models with Cloud Center of Excellence (CCOE) models and RACI charts to rapidly implement SPAC
  2. Policy management framework including translation of your security and complicated regulatory requirements into policy as code. It also has a library of normalized policies to help you demonstrate compliance with multiple frameworks such as NIST 800-53, and ISO 27001.
  3. Security blueprints that codify infrastructure and security policies at one go.
  4. Detailed technical comparative study of third-party security tools that can help you rapidly select one or more open source and/or third-party security tools to help with multi-cloud security that are far beyond CSP-native capabilities
  5. DevSecOps, automated alert management/tune false alerts and incident response strategy leveraging our deep experience in this space

An important caveat: While it’s important to have policy as code solution(s), detective controls also continue to have an important role in cloud security since developers may not have perfect visibility during building cloud solutions.

The goal of putting your initial few SPaC use cases in production should be to learn the process of their implementation. You may even include the buildout of such use cases as part of your organization’s security champion program or hackathons. As more SPAC use cases are implemented, confidence that your build pipeline, your software development, and your runtime environment are trustworthy increases, the likelihood of serious security events decreases, and you can focus on delivering value to your customers. Once SPaC codification is realized, customers can leverage CSP-native or third-party tools to monitor for policy drift. Depending on your maturity in this area, clients can also develop auto-remediation capabilities to correct security exposures without human intervention.

KPMG has been at the forefront of cloud security and we have extensive cyber security experience bringing these disciplines together to assist clients in mitigating cloud risks, and where needed, help rapidly respond and recover when incidents occur.