Cloud security
Trend 16: Secure landing zones gain prominence for cyber resilience and security as a built-in culture
Enterprises are increasingly adopting public cloud platforms such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP). However, distributed models of these cloud environments have become a newer security issue for enterprises. Multiple accounts or subscriptions are created based on departments (e.g., marketing, sales, HR, IT) or criticality (e.g., production, nonproduction, sandbox, test). Full authorization and administration are provided at the resource, resource group, or subscription/account level.
The enforcement of standardized security across multiple environments (e.g., subscriptions, accounts, projects) through guardrails and centralized security controls ensures cyber resilience across distributed enterprise clouds and creates security as a built-in culture. Centralized security controls include identity and access management, logging, encryption, network security, etc. Secure landing zone architecture and approach provide these functionalities from the foundation to operations.
A leading American food manufacturing company partnered with Infosys to design and build a foundational cloud on GCP, following the secure landing zone approach. The provisioning of GCP organizational policies to native and third-party security controls was done through codification based on HashiCorp's Terraform, ensuring faster delivery of the environment and secure cloud from day one.
Cloud security
Trend 17: Cloud security as code ensures continuous compliance in production
A wide range of security solutions is natively available from cloud service and cloud security-focused providers. However, these providers need to employ the latest advancements and strengthen the implementation framework to empower developers to use cloud services without compromising security controls.
Now, it is a mainstream practice to codify the security of cloud services and policies and embed them into DevSecOps and rugged DevOps. These practices emphasize the shift-left approach of cloud security to codify it in the software engineering and provisioning life cycles. Provisioning and configuration management tools from cloud service providers and open tools such as Ansible and Terraform codify security policies and controls such as cloud IDAM, Key Vault firewalls, etc. Tools such as HashiCorp's Sentinel and Pulumi help codify organizational security policies. These codified security controls should be part of the CI/CD pipeline to ensure security misconfiguration is avoided early and validated with security-testing DAST solutions that ensure continuous compliance in production.
A leading American automotive company wanted to automate its infrastructure setup and security configuration “as code.” It involved meeting software requirements, establishing necessary cloud security controls, and integrating SailPoint Identity IQ into its DevOps pipeline. Following the implementation, the company achieved fully compliant resources on AWS in under 30 minutes.
