Skip to main content

The evolution of “Platform Team” culture to secure cloud native technologies

cloud
(Image credit: Shutterstock / issaro prakalung)

In recent years, there has been rapid advancement in cloud-native technologies which have, and will continue to, dramatically improve how we access and secure applications. However, these results will only be seen in organizations where cybersecurity decision-makers can adapt their teams and processes to match the advancements seen within the technology itself. 

The responsibility for these advancements has come to rest on the shoulders of the CISO. But by their nature, security organizations tend to be cautious. This can result in CISOs falling out of step with the needs of the organization. Instead, CISOs need to be willing to take a chance on new technologies, support the effort and be part of the solution by making themselves more visible. 

To do this, CISOs need to rethink their traditional strategy and employ both a new culture and new approaches to ensure that security is always a consideration throughout DevOps. This will enable what some call DevSecOps, which is now evolving into more of a “platform team” approach. This should be a priority for the CISO as it will require complete cooperation amongst the application development teams involved throughout the software and deployment lifecycle. By incorporating security into the responsibilities of the entire team, companies can be assured that they are benefitting from the full potential of cloud-native technologies.

Beyond DevOps or even DevSecOps 

Prior to the adoption of DevOps, and then DevSecOps, security teams typically evaluated and flagged security risks at the end of production which would cause significant delays, often preventing an application from going live in the desired timeframe. This was a direct consequence of the lack of collaboration amongst the teams, as the main focus of each was to carry out their individual responsibility, whether security, compliance or operations. These disparate parts would then come together at the end. 

The DevSecOps approach brought with it several improvements such as speed, agility and cost savings in software development. But with new security challenges that have sprung forth alongside modern cloud-native technologies, security has become an area that requires even more attention. As a result of this, we are seeing leading organizations move towards a “platform team” approach. 

By providing a higher-level abstraction to application developers, the “platform team” approach gives them more time to focus on the business application itself, with less concern about the underlying infrastructure often required by DevOps-oriented teams. If organizations neglect to adapt the DevOps process to current progressions in technologies, their security teams will continue to be flooded with security risks, more so than they may already be.

To account for the new security challenges that come with these evolving technologies, CISOs must ensure that their tools and methods are suited to counter these risks. The CISOs must then focus on promoting these new tools and methods to their teams and everyone in the DevOps pipeline. If this is carried out properly, the deployment model (whether serverless, VM or container-based cloud-native development) will not affect the migration of applications and can be secured at the highest level yet. 

Improving (and automating) the workflow 

Organizations are integrating security throughout the DevOps process, and now into these “platform teams,” to develop a faster functioning workflow as a response to new technologies. The method to enact the shift in culture and strategy will vary between businesses and may include allowing security to “fail” a build, or tracking and blocking non-compliant images throughout development. Within the platform team, the integration of security within the workflow will split the responsibility of security to create a more unified culture within the business and ensure even faster results with the use of these advanced technologies. 

As with DevSecOps, this will enable further flexibility and speed. This is because weaknesses are surfaced sooner in the software development lifecycle which will allow sufficient time to fix the error without disrupting the application timeline. Development teams will also be able to utilize automated security controls and tests throughout the development cycle, thereby freeing up their time while also fulfilling the full potential of cloud-native technologies.

By “shifting left”, organizations lower the risk of a build-up of security disruptions at the end of the process as this is dealt with throughout development. By using automated posture management tools to secure cloud infrastructure, even the most complex multi-cloud environments can be hardened. Organizations will subsequently profit from providing a high standard of security while also remaining an active competitor in the market in terms of innovation and speed of results.

Encouraging this change in culture requires educating developers about cybersecurity issues to avoid situations where code is prevented from being merged. This allows for an easier transition to a collaboration between the security, compliance, and IT teams as everyone will be able to acknowledge security risks at all stages. They will also have the necessary understanding to take full advantage of what the new cloud-native technologies have to offer. Finally, CISOs must ensure that these new platform teams are aware of and fully comprehend the need to take on modified responsibilities as this move requires attention to collaboration in the process of developing an application with modern technologies.  

Enterprise digital transformation is leaning more and more on cloud-native technologies, and the role of the modern CISO needs to evolve to keep step with this evolution. In the past year, the shift to remote work has accelerated these trends and digital journeys even further. Security plays a key role in making these changes possible and is becoming a key enabler for the flexibility and rapid speed of innovation that is much needed in the current ever-changing world. 

Today, the role of the CISO is measured not only on whether the business suffers losses because of a data breach, but also on how security preempts new initiatives and makes it possible to bring services and applications to market faster. At first, these changes may seem time-consuming, but this is a necessary move to fully appreciate the benefits of cloud-native security. As developments come about in cybersecurity, both in defense and attacks, organizations must be able to match these changes with sufficient tools, strategies, and cultures.

Dror Davidoff, CEO, Aqua Security