Balancing Cybersecurity Risk with Technological Innovation: Using Policy as Code

The pursuit of innovation and the deployment of cybersecurity measures often appear mutually exclusive. The steps we take to enhance security are concentrated on mitigating risk, while innovation demands you to be open to taking risks.

Sometimes, organizations decide to prioritize innovation over security to gain a competitive advantage. Although it feels like a challenging decision for product owners and business leaders, it shouldn’t be. While innovation and time to market are critical, so is security. You need to find a healthy balance between both.

It’s important because innovation opens the path to new revenue streams, enhanced customer experiences, and creates new market opportunities. Robust security, on the other hand, ensures compliance and helps maintain brand image and value.

What are the Risks?

Human error is one of the leading causes of security incidents. For example, in 2019, human error was the leading cause of 90% of cybersecurity breaches in the UK. So, before you focus on innovation, think about mitigating risk.

If that wasn’t bad enough, businesses also have to be alert to ransomware attacks. It’s crucial as the average ransomware payment increased by more than $100,000 in the first quarter of 2020 (up by 33% from the final quarter of 2019).

Enterprises also have to deal with the security risks that come with new technologies (that can be buggy). Then we have insider threats, technical debt, and potential cultural challenges that compound security risks.

It doesn’t end there. Cybersecurity threats are rapidly evolving and becoming more sophisticated by the day. This makes it imperative for enterprises to adopt a proactive approach.

What are the Costs?

The costs of security events are often far-reaching. Security incidents make the headlines almost daily, and the fallout from these events is significant. For the most part, a lot of the security challenges faced by companies originate in public clouds.

The now-infamous Capital One data breach is a perfect example of how something like a web application firewall misconfiguration could lead to the exposure of over 100 million records of sensitive data (like personally identifiable information).

In this security incident, Amazon Web Services provided all the security for its public cloud offering, but the Capital One team failed to configure and use it appropriately. Unfortunately, this is far from an isolated incident.

The damage to Capital One’s brand image and brand value was immense. It was also followed by a regulatory fine of $80 million and a class-action lawsuit. The negative publicity surrounding this incident still continues today, and there’s no end in sight.

For startups and application developers, making security an afterthought can potentially delay time to market, lead to project failure, and negatively impact accessible resources. While the current threat landscape may make innovation seem impossible, it really isn’t. But it demands a new approach to mitigate risk and ensure robust security.

What can you do?

The good news is that companies are starting to find ways to innovate and launch new digital initiatives while going the extra mile to secure their data and other digital assets. One way businesses are doing this is by embracing Kubernetes and a DevSecOps approach.

DevSecOps

DevSecOps is the process of integrating security and monitoring that is closely woven into the entire life cycle of an application. This means that protection and innovation happen in concert from development through deployment and beyond.

According to Gartner, as much as 60% of rapid development teams will adopt DevSecOps best practices by 2021 (up from 20% in 2019).  A recent study conducted by the Statista Research Department also found that approximately one-third of organizations surveyed were using Kubernetes in some form in 2020.

These companies were either running Kubernetes in production, experimenting with Kubernetes, or using Kubernetes for development and testing. Simultaneously, almost one-third of organizations weren’t using Kubernetes at all (and that’s deeply concerning).

Shifting Left

While Kubernetes puts you on the right track to innovate in a secure ecosystem, it has to be supported by robust governance policies. For example, enforce governance-as-code across the entire Kubernetes infrastructure. This approach enables companies to deploy a “robot guard” who’s always looking out for them 24/7.

In this scenario, development teams and security personnel need to “shift left” and clearly define, deploy, and manage governance policies. When you closely follow Open Policy Agent (OPA) and Kubernetes best practices, it’s easier for developers (or innovators) and security teams to work closely together in a secure environment.

How do they do it?

Enforce Security Standards with Policy-As-Code, Programmatically

When it comes to continuous deployment of cloud-native applications, integrating policy-as-code within DevOps workflows is crucial to creating developer-centric experiences. When enterprises do this, they essentially deploy “automated operators” who continuously monitor repositories for suspicious activity (remember my robot guard analogy?).

Whenever there’s a change, these automated guards immediately trigger an update. In this manner, companies achieve robust governance levels across all clusters from a single source of truth. It’s also the best approach to normalize hybrid environments and boost innovation across the organization.  

When you enforce policy-as-code, you enforce governance standards across all Kubernetes clusters. You can also deploy enterprise policy checks across cloud environments, supported by rules based on your specific needs. What’s more, you get to validate infrastructure compliance early on in the software development lifecycle. This approach helps closely weave security into digital products right from the beginning.

Apply the Right Workflows and Playbooks

When you build a centralized playbook enacted and enforced across each iteration, development teams are well-placed to innovate rapidly without compromising security. Your playbook can include anything from benchmarks to IT standards to regulatory policies (and more). You can also customize rules to enforce within the organization.

With the right workflows, teams are well aware of complex governance and compliance issues. They can also enforce best practices and organizational conventions as needed with tailor-made policies. This approach also enables the automation of security and compliance into your CI/CD workflows.

Construct Robust Compliance Reporting and Analytics 

To find the perfect balance between innovation and security, enterprises require a sustainable governance framework that ensures transparency between teams. One way to achieve this is through unified compliance reports and dashboards. These provide opportunities for all stakeholders to review custom policies and take action appropriately.

Whenever companies follow this approach, developers receive immediate automated feedback on the code (which can then be updated if needed). It also provides the necessary visibility to analyze the overall security posture of your applications and infrastructure.

While shifting left might demand a cultural change across the organization, it’s worth the effort to address security concerns now and not when it’s too late (or when you make the headlines). When security is built into your product and closely intertwined with the code, your actions lead to not only an innovative new product but a secure one.