Going from a centralized security group that dictates a “command and control” approach to cloud security toward a model of “trust but verify,” is at the core of the modern shift toward security-practice democratization. Organizational practices behind legacy, centralized data centers are being rethought, as teams realize that the old methodologies simply can’t scale to support the speed necessary to thrive in today's competitive landscape.
The issue isn’t unique to any one industry. Across the board, businesses need to help securely develop and deploy applications so that the company meets bottom-line expectations and remains competitive. How then, can DevOps and IT teams work and innovate in a friction-reduced or—we can all dream—a friction-free way?
It begins with getting in a room
Whether it’s physically or virtually, getting security and DevOps teams together at the beginning of a project helps set the standard moving forward. Setting weekly or bi-weekly meetings to ascertain the scope of what’s being built or what needs to migrate helps curtail misinformation, misunderstandings, and ultimately enables a more protected product.
Whatever the process—GKE clusters, IAM roles, storage—it’s important to work with key security stakeholders early to get those standards integrated to support the development teams. Collaborative communication tools like Slack can aid greatly in catching changes or vulnerabilities prior to or post-deployment. For example, if someone goes in and makes a change to IAM configuration after deploying, security teams can be alerted via Slack, and then know to go in and check that everything is as it should be.
As development and security teams integrate these types of simple alerts—and auto-shutdown of instances are avoided—they begin to alleviate perceived friction and define an efficient macro-level working ..
Support the originator by clicking the read the rest link below.
