SAN FRANCISCO — Stephen Schmidt has learned a thing or two about about how to secure cloud operations at scale. The Chief Information Security Officer at Amazon Web Services (AWS) shared some of the lessons he has learned about building cloud applications in a session at the RSA Conference.
AWS is the world's largest public cloud operator, and when it comes to security, Schmidt said for him it's all about scale. That is, every security process and control needs to be scalable, literally to the size of the ever-expanding AWS footprint.
For Schmidt, that way to achieve security at the scale of AWS is by deeply integrating security into every process throughout the development tool chain and the runtime environment, from source control through testing and staging and into production and maintenance.
Few if any IT organizations on the planet have the same scalability requirements as AWS, but there are five key recommendations that Schmidt provided that can help IT shops of all sizes.
1. Understand What You're Doing
While this might seem obvious, Schmidt said it's important for members of the security team to deeply understand how software is created and shipped.
2. Catalog Controls
Schmidt suggested that organizations catalog and identify the controls involved in their Continuous Integration/Continuous Deployment (CI/CD) pipeline so that security understands how change management works.
3. Document Human Interaction
Automation is the key to scalability, and true automation tends to involve removing the risks posed by humans. Schmidt suggests that organizations document every instance of human interaction with systems that process data.
4. Reduce Human Interaction
Schmidt recommends that IT organizations set and achieve a goal to reduce human access to systems that process sensitive data by 80 percent. Every human interaction is a potential for an outage, Schmidt said.
5. Deploy From Source
A proper full CI/CD pipeline is one where source code is the root control. Schmidt recommends that companies set and achieve a goal to separate workload deployment from source code.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Understand with precision where your software is coming from and make sure you're getting it from places that you trust," Schmidt said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.