Syncing security and product development early is now a "must do."

Rinki Sethi, Senior Director of Security Operations and Strategy of Palo Alto Networks

March 22, 2018

4 Min Read

For many organizations, the public cloud has become the sole route to market for new product introductions. This cloud infrastructure is owned and managed by a third party, freeing up the organization from the maintenance and cost that comes with a private cloud setup. With that, speed and scale are the main reasons why developers are moving to the public cloud, and now is the best time for security teams to tighten their partnerships with product development and IT teams.

Although native public cloud controls provide basic infrastructure security, enterprises are still responsible for securing the data they put in the cloud. For this reason, it's important for security teams to get involved with product development early on to make sure that security considerations are baked into the product at all stages — well before the products ever reach the hands of customers.

Here are the top five things security teams should focus on when entering this next phase of public cloud deployment.

1. Demonstrate How Partnering with Security Teams Speeds Up the Product Development Process
A common misconception is that security teams slow down the product development process with seemingly unnecessary requirements and recommendations. However, the real concern should be how any redesign after a launch will slow down business processes and, ultimately, break customers' trust. Product teams that engage with their security teams early on — beginning with the ideation phase and continuing throughout the product development cycle — will enjoy a more effective process for new product introductions. By sitting side by side with product development and making security a truly integral part of the entire process, security teams can demonstrate the positive impact of identifying appropriate security requirements, understand the overall architecture, and be ready to go into production with confidence.

2. Understand the Development Life Cycle
How teams approach product development can vary from group to group and even from product to product. Security teams that invest in understanding each group's product development approach will gain a valuable understanding of the security controls that are needed to effectively defend against malicious activities. By making the entire product team aware of what's needed from a security perspective during product discussions, there's a better chance for collaboration when it comes time to do threat modeling, building in the right security capabilities, identifying the requirements for security testing, and pinpointing what the security operations team should be monitoring after the product is launched. Having these conversations directly with the product development team solves the significant problem of how to protect your data and your customers' data downstream.

3. Incorporate Testing Before and After Launch
There are no shortcuts when it comes to continuous testing, and it's unfortunately an often-overlooked part of the security stack. Before any product is made available to customers, you'll want to find issues before attackers do. A focus on testing is critical at all stages, and you will want to continue testing even after the product is live and deployed in the cloud. It's important for security and product development teams to understand that public cloud offers different types of services, from computing and storage to analytics, and each of these services has a unique set of security implications and threat scenarios that must be tested and solved for.

4. Ensure Continued Visibility
Security operations teams need to monitor activity in a way that is prevention-focused to stay one step ahead of adversaries. Many of the threat patterns remain the same for cloud-hosted workloads, but the conventional preventive measures used to thwart such threats don't easily apply. When moving products to the cloud, security teams need to identify mechanisms to achieve high-fidelity threat detection within the cloud and ensure continued visibility. With visibility, you can prevent attacks and ensure strong capabilities to combat sophisticated tools and tactics. By establishing the right logging and monitoring capabilities from initial design phases, you can leverage automation and other innovative technologies and processes, and set teams up for success.

5. Have Comprehensive Playbooks and an Incident Response Plan
There's no question that cloud security is now a board-level discussion. As security breaches continue to have outsize financial impact on organizations in all industries, executives and board members understand that cybersecurity threats are material risks that must be mitigated. It's essential that cybersecurity leadership have an open dialogue with the C-suite about material risks to the business, and form detailed advance response plans to counter and manage the scenarios most likely to occur.

Understand the key stakeholders when it comes to deployment in the public cloud — and how these individuals should be engaged if an incident does happen. With comprehensive playbooks and an incident response plan in place well before any incidents occur, the security team can work with stakeholders to be prepared to address the attack surface in the public cloud environment.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the security track here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200 

About the Author(s)

Rinki Sethi

Senior Director of Security Operations and Strategy of Palo Alto Networks

Rinki Sethi is Senior Director of Security Operations and Strategy at Palo Alto Networks. She is responsible for building a world-class security operations center that includes capabilities such as threat management, security monitoring, and threat intelligence. Rinki is also tasked with continuing to drive security culture change at Palo Alto Networks through cybersecurity education. Prior to her position at Palo Alto Networks, Rinki worked at Intuit, eBay, Walmart.com, and Pacific Gas & Electric, building technical security teams, including security operations, product security, application security, security architecture, and security strategy. She has served on the development team for the ISACA book, "Creating a Culture of Security" by Stephen Ross, and was the recipient of the "One to Watch" Award with CSO Magazine & Executive Women's Forum in 2014. Rinki regularly speaks at security conferences and on topics related to women in technology, and serves as a mentor for students and professionals.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights