ISMS Consulting

Governance as Code—Is It the Answer to Cloud-Native Security?

ep105.2
Reading Time: 2 minutes

Last Updated on January 4, 2023

Cloud-native application development goes hand-in-hand with DevOps and “infrastructure as code.”

Is an “as-code” approach to governance, security, and compliance the answer to cloud application security challenges?

To explore the leading edge of cloud security posture management, Fausto Lendeborg, co-founder and Chief Customer Officer at Secberus, joined a recent episode of The Virtual CISO Podcast features. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.

Aligning with an as-code world

With DevOps and cloud-native, everything in the “code to cloud pipeline” is moving towards becoming software-defined—all in the name of speed.

“Everything is transitioning to an as-code stack,” say Fausto. “Everything from applications, infrastructure… It’s a way of building applications because it’s very fast. It’s velocity, and velocity is what got us here: the security problem, and the cloud.”

Fausto continues: “Think about this large snippet of code living everywhere. How can we fight the as-code world, if not with an as-code solution? So, when we started thinking about how can we build governance, security, and compliance continuously to mitigate the risk that an as-code world brings, we needed to think about governance as code.”

And along with that, compliance and security as code, even ultimately policy as code.

The need for speed

Because speed is the whole point of cloud-native and DevOps, an as-code governance, security, and compliance solution needs to move at a DevOps pace.

“The big thing we’re trying to do here and how everything meets in the middle is we need to have a solution that doesn’t block the engineer from going fast and from building,” emphasizes Fausto. “And one of the things that blocks engineers from going fast in today’s world is this methodology of security by design.”

Security by design dates back to the days of change management and waterfall development; it stalls today’s rapid build/deploy cadence. The Secberus solution enables clients to continuously apply configuration management/policy as code logic at today’s business velocity.

 

Abstracting out cloud specifics

Secberus supports its customers to maintain and expand their DevOps practices, and to build software in multiple cloud infrastructures.

“Because we know that tomorrow there will be another cloud, it’s about decoupling where the infrastructure is from the risk assessment,” Fausto offers.

Secberus’ as-code layers can be configured once and leveraged across multiple public clouds. For example, the same policy can be applied to both Azure and AWS environments regardless of the underlying technology that the engineers are using.

What’s next?

To hear this podcast episode with Fausto Lendeborg all the way through, click here.

No matter how you slice it, securing applications in the public cloud requires highly efficient security checks. This blog post paints the picture: Monitoring Security of Your Deployed Public Cloud Application

OWASP ASVS Controls Checklist
Download Pivot Point Security OWASP ASVS Controls Checklist.

Download our OWASP ASVS Controls Checklist

Back to list

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *