Addressing Security and Compliance to Accelerate Application Modernization
Organizations in the tech industry are feeling tremendous pressure to modernize due to the following factors:
- Regulatory changes and customer mandates from disruptive newcomers who are using technology to change the rules of the game.
- Increased focus on speed-to-market and time-to-value to rapidly deploy applications that are integrated inside and outside of the company.
I believe that the modernization of applications is essential for a digital transformation.
What is one of the biggest barriers to public or private cloud transformation efforts? You guessed it: Security, compliance and privacy are all barriers to the modernization efforts (on top of an organization’s resistance to change, cost, skill-set gaps, etc.) Application modernization accelerates understanding and mitigates your security exposures in the following ways:
- Stops information leakage (data breaches)
- Quickly identifies vulnerabilities
- Automated risks reporting
- Addresses shadow IT-related governance risk
- Loss of customers/reputational impact
- Improves operational maturity
How can you help your organization accelerate through roadblocks to resolution?
In my experience leading my company’s application services, I’ve seen how the digital transformation of application revolves around these four pillars:
- Customer Experience: Experience design (journey map), customer touchpoints;
- Connected Operations: Internet of Things (IoT), robotic process automation (RPA);
- Business Model: Digital adaptable business, team of teams, culture and talent;
- Distributed Intelligence: Data advanced analytics (predictive and prescriptive), AI and ML, test-driven dev.
This is assuming you have defined all the unique market differentiators, business architectures and capabilities for your modernization journey (typically TOGAF EA framework). All four pillars only operate if secure by design, so a couple of hard security questions you need to answer are: What are the top threats to public and/or private cloud computing? How will we protect networks and data in the era of GDPR?
The following is a framework or process blueprint that attempts to answer the hard questions.
Step 1: Leverage DevSecOps for applications.
IT security and DevOps are converging to empower teams to deliver secure by design apps forming a DevSecOps practice building security into every phase of the software. DevSecOps framework results in improving app security and reducing cybersecurity risks and costs while increasing applications time-to-value.
Establish three pillars for your DevSecOps framework (refer to my previous Forbes Councils article for guidance on creating the operating model aligned to business priorities):
- Shared Responsibility And Collaboration: One of the challenges to embedding security in DevOps is changing the organization’s mindset and behaviors regarding software security. Developers are not only “security-aware” but can act as the first line of defense. A security-aware and collaborative culture is necessary for the members of all functional teams to report potential anomalies.
- Bridge Compliance And Development: Risk-related requirements are difficult to translate into security requirements that can be easily measured over time. Typically, privacy and compliance requirements are poorly translated into DevOps and product requirements, to address this challenge, translate applicable controls (e.g., policy-as-code) into appropriate software components and make the regulatory (privacy and compliance) function part of the evolving agile SDLC process (i.e., Scrum or Kanban).
- Actionable Insights Automation (Measure, Monitor, Report): Organizations have a proliferation of point solutions that are hard to deploy, harder to operationalize and eventually do not provide actionable insights that can help mitigate the true security risks. The one speed-to-market challenge is to manual testing, deployment and patching process.
To address this, establish a holistic end-to-end automation framework to securely deploy the applications with automated code and security quality checks reducing the vulnerabilities. For example, consider adding continuous security validation with both static and dynamic security code analysis (e.g., Veracode or WhiteHat) and get continuous monitoring of your app stack and pipeline dynamically with no configuration to close blind spots (e.g., Dynatrace or AppDynamics).
Step 2: Leverage Cloud Security Alliance (CSA) resources to jump-start risk assessment.
Leverage the following artifacts to jump-start assessing the overall security risk of a cloud provider after you establish a DevSecOps practice:
- Refer to application, interface, data integrity and security controls from Cloud Controls Matrix (CCM) (download required) to jump-start the time-consuming challenge of configuring your new public or private cloud to comply with the standards (e.g. FedRAMP, NIST, COBIT, HIPAA) and also create your own controls using their Reference Architecture.
- Using the CSA STAR certification artifacts registry, you should be able to quickly validate the cloud provider credentials enforcing shared responsibility and accountability.
- Don’t reinvent the wheel for European General Data Protection Regulations; refer to the CSA Code of Conduct for GDPR.
Step 3: Adopt emerging containers technology to enable DevSecOps to migrate your legacy app workload to a public/private cloud platform securely.
Emerging infrastructure is driving the rapid growth of containers and container orchestration platforms (Kubernetes) as a part of DevSecOps. According to Gartner, 75% of enterprises will run apps in containers by 2022, versus 30% of companies today. I recommend adopting Kubernetes to enable DevSecOps with capabilities (making sure out of the box containers security features are implemented, i.e., Kubernetes Secrets, secure registries, etc.) to reduce attack surface with min privileges):
- Deployment automation (continuous integration and continuous delivery)
- Infrastructure and configuration as code
- Immutable infrastructure
- Environment consistency
- Zero downtime deployments
So, with the above frameworks process blueprint let’s champion “secure by design” for organizations to jumpstart digital trust ecosystems increasing speed to market. Let’s empower all the stakeholders (business decision-makers, security, app dev) with actionable metrics (mean time to resolve, time to deploy, cycle time) to better understand the present state of security and compliance risk, and to drastically improve the organization’s performance by accelerating application modernization.
The blog was originally published on Forbes.com