Building securely without sacrificing velocity
By BreakFree Solutions Staff
As our world becomes increasingly digital, so does the need for reliable digital security. This blog post will explore the BreakFree Digital Security Framework and how it can help you meet the new digital security challenges.
The BreakFree Security Framework allows companies to build safely on the cloud without sacrificing velocity. It does the following:
Guides the effective use of security controls
Integrates security upfront in the development process
Leverages automated guardrails
Utilizes API-driven evidence collection for compliance purposes
And establishes patterns in the form of application control sets that can be shared for like-solutions.
Where to Begin
You don’t want to slow down or limit your cross-functional teams from innovating and building products on the cloud. However, they must create those products securely, considering the various security controls which apply to the product. To ensure you’re accounting for the applicable controls, you must build a common control library that simplifies all potential cloud controls into a common or readily accessible library for your organization.
We call this the Cloud Control Library, which comprises of all the relevant security standards and requirements that an organization needs to follow from a compliance and audit perspective.
The Cloud Control Library enables organizations to group related controls across different public frameworks into one living and consumable library, allowing them to effectively identify and catalog potential cloud-based resources and environments.
But not every product that an organization develops needs to adhere to all of the controls in the Cloud Control Library. And since cloud services are priced based on consumption, an effort needs to be made to establish subsets of controls that can be used to satisfy security and compliance requirements for different categories of applications.
Application Control Subsets are just that. They allow the product teams to focus solely on the areas of security that are required for their product.
Application control subsets can be templated and automated, eliminating the need to recreate the wheel for every new application/product.
For example, an application that is hosted in Azure with the sole responsibility of processing PCI data could be an Application Control Subset in itself. All relevant and required controls from the Cloud Control Library that are focused on PCI compliance and are specific to the product would make up the product’s Application Control Subset.
If another team within the organization has a need to incorporate PCI processing within their product, they could effectively consume the already created Application Control Subset for PCI compliance and begin their solution there with the pre-defined standard operating procedures for meeting those requirements. This will drastically decrease the overall time to market while rapidly increasing the team’s velocity.
How to Progress
Next, you must establish a shared responsibility model to contractually navigate security and compliance controls. for security organizations to understand the demarcation point between what they’re doing and what they will ask their technology organizations to do to ensure compliance.
A Shared Responsibility Model requires shared handling of customers’ digital assets between the organization and customer for improved security. Automation enables the integration of automated processes into digital transformation for greater flexibility, scale, and efficiency.
We apply a product approach to breaking down responsibility, improving how we perform digital capabilities regularly, and consistently changing who is accountable for what.
When developers don’t have to spend significant time and effort establishing and integrating security and compliance for every new development effort — but instead are able to follow established operating procedures and utilize associated automations for the application control set that applies to their product — a dramatic reduction in time to deliver new products is realized.
We must ensure an effective universal way of describing who is accountable for doing what as it relates to platforms. This concept was spearheaded by AWS (Amazon Web Services) when they clearly articulated that they weren’t going to take care of all security aspects. Platform teams added a layered model with multiple groups responsible, including cloud providers, cloud foundation teams, and even platform consumers.
This shared responsibility model is not static. It changes based on feature functionality, cloud services, modified versions of this, etc. We view this artifact as a critical operating model component for all teams included in digital. Our teams always answer: Do we know what we are responsible for? Are we articulating it to clients/teams? If so, you’ve built a shared responsibility model.
For each application control set, you need to articulate responsibility demarcation points and publish them broadly.
Build safely on the cloud without sacrificing velocity by leveraging the BreakFree Digital Security Framework. The major components include establishing a Cloud Control Library, Application Control Subsets, Shared Responsibility Models, and automating patterns across application control sets.
We just covered the BreakFree Digital Security Framework in our recent Leadership Bootcamp. Reach out today, and we’ll send you the recording or plan for a one-on-one whiteboarding session.