ALPS blog

By Kay Bandemer, Head of Business Acceleration Team, Michael Claaßen, Senior Cloud Security Architect

The attraction of the cloud is the new opportunities it presents for businesses, whether it’s optimising existing concepts or opening up new lines of business. At events like the AWS Summit 2022, these topics are at the top of the priority list and many presentations and talks are geared towards an exchange of experiences and ideas in this regard. In addition, there are of course many opportunities to “network” or “solve problems”. The topic of security still plays a subordinate role at these events – of course, security is very much present as a fundamental factor, that goes without saying. However, the question is rather how security is organised and implemented. As an IT security manufacturer, we were present at the AWS Summit to talk to customers about these challenges. We got the impression that specialisation is in demand instead of “one size fits all”. But companies also face time and know-how problems in the DevOps process.

Specialisation and competences

…or the question, what can the specialised trade do? Before the actual AWS Summit, the channel had met to exchange experiences as well. Much more than with traditional companies, this is also about promoting one’s own possibilities. Because the event made one thing clear: Specialisation is in demand in the cloud. Successful specialised trade partners focus their business activities on offering their customers in-depth know-how. Cloud customers usually know what they want to achieve and need partners who can help them fulfil their goals.

This trend is of course not specific to the cloud, but applies to all areas where dynamism and frequent technological adjustments are prevalent. It also shows that IT security is just one of the sectors where the “doing” is increasingly shifting to the specialised trade in the so-called managed service concept. This automatically leads to specialisations based on the competences of the individual employees. Training and, above all, the preservation of these skills are thus increasingly becoming a cornerstone of sensible business strategies and a must for areas with rapid adaptations. And especially in IT security, there is a related problem – the shortage of skilled workers. Not least for this reason, partners are in demand who can provide the necessary know-how to advise on security and accompany successful implementation.

“One Size Fits All” is out

No cloud event is complete without the topic of software development. Much of the agility that is essential to business success is aligned to how quickly a company is able to meet the needs of its customers. “Time To Market” is the keyword here, which is also burying the “one size fits all” approach of earlier days. More and more companies are building their own apps, which are primarily geared to business goals – and which have to be fulfilled quickly. If in doubt, adjustments have to be made within hours.

Software development in the DevOps process, in which applications constantly oscillate between operation and updating in a kind of infinite loop, is now standard in companies. Speed is one pillar, security the other. Because when something has to be fast, mistakes happen. That’s why the area of security is already very much involved in development, and project managers often have to take responsibility.

“Security by Design” is the name of this concept, and what works very well in theory is characterised by two primary challenges in practice. On the one hand, developers are supposed to build in security, and they tend to see this as a distraction from their actual work. On the other hand, there is always the demand to share the security-relevant findings accordingly – e.g. with auditors or even with the own IT security department. Outdated compliance issues often play a role here, as well as research tasks, because log interpretation procedures are not transmitted automatically.

Technology is not the problem

To build IT security into new developments, DevOps teams have a wealth of technologies at their disposal. From open source to commercial vendors … depending on the requirement, there is not just one option. What is required is ease of integration, because even if developers are tasked with building in security, it should not take a lot of time.

The latest craze is “security as code” – lines of code that are simply implemented without changing the actual code. The actual security tasks are then performed via a security library that the code simply has to call. What is exciting, however, is the question of who reads this information. For most security tasks, it is the developers themselves. An adjustment due to a newly discovered security vulnerability or similar tasks must then be implemented as quickly as possible. This should be part of the DevOps process. The fact is, however, that in most teams/projects precisely this responsibility is not filled, or neither the expertise nor the time is available for such tasks.

But there are situations that are not easy. If a security vulnerability such as Log4Shell occurs, companies have to analyse their risk profile. This affects all areas of the organisation and is therefore the task of the IT security department. The same applies to audits or actual security emergencies in which the dimension of an attack that is currently taking place is to be assessed. In such a case, existing information must be shared and put into context. If these processes are not automated, escalations may occur depending on the situation.

Pulling together

The greatest advantage of modern infrastructures and technologies is that they make it possible to automate tasks. Developers but also operators need the flexibility to make changes based on business decisions. IT security must support these decisions. The prerequisite for this is to secure the activities of the business units while maintaining compliance and using best practice security.

The task becomes more difficult, however, because several departments (such as Development, Cloud Operations and IT Security) have their own requirements, some of which are non-negotiable. Moreover, external developments can cause changes at any time that undo a compromise that was painstakingly found. Solving this challenge is the task of IT security specialists in the specialised trade and at manufacturers.