Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This is part of our ‘Faculty Focus' series, an interview-style piece where a member of the IANS Faculty shares firsthand insights on a particular infosec topic. In this feature, Ian Amit discusses how shifting the Security/DevOps
paradigm can help improve cloud infrastructure security.
Ian Amit is the Co-Founder and CEO of Gomboc.ai who are providing cloud infrastructure security solutions. Before Gomboc.ai, Ian held senior leadership positions with Rapid7,
Cimpress, Amazon, ZeroFOX, IOActive and has over 25 years of experience in the security industry as a practitioner. Ian is also the co-founder of DC9723 - the Tel Aviv DEFCON group-and serves as a BSides Las Vegas board member. He is also the creator
and co-CEO of The CISO Track - a series of CISO centric curated events.
1. What are some of the issues you’ve seen in cloud infrastructure security between DevOps and security groups?
Ian: Most security practitioners tasked with cloud security recognize how frustrating it is to handle infrastructure issues. We have a lot of tools that enable us to identify typical configuration gaps, and some even provide guidance as far as how each
service should be set up securely. However, in order to change things and secure your particular environment, security works with DevOps who are responsible for the configurations. This means that security doesn’t have the ability (nor should
it have) to change things in production and are at the mercy of the DevOps teams’ bandwidth and knowledge of the particular changes.
DevOps in turn, aren’t just at the service of the security teams, and need to slot in those changes through their sprints and epics. In addition, since the changes only come with a vague reference of the practical change (i.e., a template / blueprint
/ best practice), DevOps is also tasked with figuring out how to implement the intent of the requested change while maintaining the functionality of the applications (as well as the performance, resilience, and other functions that aren’t directly
Finally – keeping a cloud infrastructure architecture secure means making sure that any changes in the services you are using as well as any new services made available by your cloud provider, are studied, and reflected in your own deployment. This
is similar to the feeling of the ground constantly shifting under your feet while juggling a few flaming swords.
These are the core issues at the current state of cloud infrastructure security – a knowledge gap that keeps expanding as cloud providers deliver exponentially more services each year (and keep updating existing services), inefficiencies in the
remediation process where the entity tasked with finding the problems is separate from the one tasked with fixing them, and finally a friction created by not having actionable solutions which lead to engineering teams having to research what specifically
needs to change in their environment.
2. How do leaders on both sides address these issues and why has it not been working? Can you speak to some of the challenges?
Ian: The current coping mechanisms for security leaders split to two approaches:
This obviously does not scale well or address the problem at its core.
3. What is the solution to shift the paradigm?
Ian: To change the paradigm two shifts needs to happen:
4. What are some best practices that leaders could adopt now?
Ian: In the short-term, the best practice I would recommend is:
5. What are the impacts of changing the paradigm?
Ian: The impact of implementing such paradigm change is akin to moving from programming in assembly to doing so at a high-level language. It rids us of the toil of managing the minutia of each configuration option (compounded by the number of services
used) and allows us to work at a higher level of defining what our intents and policies and having an automated mechanism that assures optimal use of services and configurations – freeing us all (security and DevOps) to focus on delivering value
and handling higher-level problems.
Our Faculty are comprised of over 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.