Why security must be shifted left in a cloud-first strategy

Companies with cloud-first strategies are growing in number as the benefits of cloud have become more apparent and appetizing in the fallout of the COVID-19 pandemic. However, simply having a cloud-first strategy doesn’t guarantee success in the cloud, cost savings and increased agility. Similarly, security remains a pervasive threat if a process for mitigation is not built into the very foundation of your cloud strategy.

There’s a misnomer in understanding what security should look like, especially when in the cloud, depending on what is being secured. Typically, organizations’ cybersecurity focus tends to fall into two categories:

IT workloads – technology that you have regardless of the industry you are in (email, CRM, ERP, etc.)
Engineering – the differentiated technology and intellectual property (IP) that you develop to enable you to excel in the market (which you want to keep safest from exposure)

The key is to move beyond securing IT workloads to the security of engineering, which is focused more on growth and innovation. As your business executes its cloud-first strategy, it’s important to recognize that cloud isn’t a destination; it’s a journey. And like any journey, you prepare ahead of time, map your route, and plan for agility.

The two things that businesses care most about protecting are IP and client data. Simply introducing traditional security measures such as Firewalls, Identity and Access Management, Multi-Factor Authentication are no longer sufficient measures in an engineering world where everything-is-code. To fully protect your platform and customer data when agility and speed-to-market are tables takes, security must be shifted as far left as possible, and integrated into the behaviors and culture of how organizations architect, develop and deliver products and services.

Regulations like GDPR have embraced this far left (or “security by design”) approach to cybersecurity. The US Cyberspace Solarium Commission is advocating for the addition of cybersecurity reporting requirements in the Sarbanes Oxley Act (solarium.gov, March 2020, Report, Section 4.4.4). Shifting left is a technical and behavioral norm, not an option.

The cloud consumption model has not only changed platform architecture, it has also changed the behaviors of platform contributors, which has given rise to new methodologies for security, such as Zero Trust and Secure Access Service Edge (SASE), which are components of security by design and how an organization builds the right model for their business that emphasizes the best stance for security. It’s about choosing the right infrastructure balanced with the right location (on-premises, colocation or cloud) to meet the quality, scalability and security demands.

Zero-trust security institutes an approach where all users and technology are denied access to all systems, resources, and datasets and must be explicitly granted the lowest level of access required and continually authenticated and re-validated to maintain permission. This approach better assures platform security prior to users or resources being provided access. While more secure, zero-trust requires organizations to design security as part of the platform code to each entity accessing it, which is time consuming and resource intensive.

Many organizations are turning to Secure Access Service Edge (SASE) to address zero-trust for remote access to simplify the approach. Half network and half security, the SASE framework is designed to allow enterprise security professionals to apply identity and context to specify the level of performance, reliability, security, and cost desired for every network session. SASE, in simplistic terms, can be a methodology to accomplish zero-trust policies for remote access in a cloud-native architecture.

As you build and execute according to your cloud-first strategy, cybersecurity must built into the very foundation of that plan. The cloud is not a place where workloads are hosted, rather a strategic approach to consume and deliver resources. Security cannot be an afterthought – it must be embedded into the way organizations behave, and part of the cultural of accountability. Embracing a security-minded culture means changing behaviors that model the culture you want to emerge. Organizations who have demonstrated a culture of security accountability and instituted supporting technical best practices have lower risk, improved customer satisfaction, and outpace the competition. The best practice is to strategically integrate security into the definition-of-done and insist that everyone is accountable for an organizations security posture and it is measurable in the people, process, and technology.

Dustin Milberg is a seasoned enterprise technology executive and current Field CTO Cloud Services at InterVision, an IT strategic service provider and Premier Consulting Partner in the Amazon Web Services (AWS) Partner Network (APN). In this role, Dustin focuses on helping customers adopt a holistic approach to developing and delivering sustainable platforms and solutions, while enabling technology organizations to optimize the entire operation: people, process, infrastructure, operations, development, quality, and security.