carloscastilla - Fotolia

Manage Learn to apply best practices and optimize your operations.

Developers and admins must work together to secure AWS

Most AWS customers understand that security is a shared responsibility. But should the onus fall on security admins, developers or both?

Security is the most sensitive aspect of development, especially when the target platform is a public cloud such as Amazon Web Services. To be effective, security needs to be part of the platform and systemic to the application. The core question: Should the burden of who must secure AWS fall on security administrators, developers or split between both teams?

The cloud security model is typically based around Identity and Access Management (IAM); thus, security is more fine-grained and often part of the application itself. Security is a priority, given that company assets, including data and applications that interact with other data, reside in the public clouds. The use of DevOps means that updates occur at a rate of several times a week; it's important to automate vetting of the software to assess security vulnerabilities.

Administrators should focus on IAM as a business driver, as well as a security technology. Those who deploy IAM must focus on the core business processes, as well as the details around security. This is a recent shift, as security was previously seen as more of a geeky concept, and the business drivers were largely unconsidered.

Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives. It's easy to predict that IAM will be a part of more than 50% of the existing applications that migrate to the public cloud, but almost 90% of new applications built on clouds.

What's more, the use of IAM within cloud application deployments will backfill into the enterprise, as enterprises modernize security approaches and technologies to align with the use of public clouds. In many cases, the IAM will be provided as a service back into the enterprise. This leads to the concept of cloud-delivered IAM and, consequently, the concept of centralized identity management.

Security administrators and developers need to work closely together to properly deal with the complexities of IAM, dividing the responsibility between both groups. The best way to do this is to create a position in the DevOps organization (security development) to focus solely on security within applications.

The person(s), who would work closely with the cloud security administrators to secure AWS, will speak with the voice of security in the scrums and reinforce the importance of building security into the applications. He or she should also review code and create the scripts that test security.

Developers need to take the responsibility for securing their own applications. However, they will receive direct assistance from security development as to consistent coding practices and technology that will be employed within the DevOps organization. This balances the burden of security across the developers, security development and security administration.

Next Steps

Managing data security and shared responsibility in AWS

Testing AWS cloud application security

Using DevOps to improve AWS security

Dig Deeper on AWS security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Who is in charge of AWS security in your organization?

You're right on the money in so many areas here.

There is more to the story in the way that security penetrates the traditional engineering and DevOps organizational structures. It can't just be a hired gun placed on the team -- it must become part of the DNA of the DevOps and Engineering staff. Unfortunately, we've arrived at a deficit of qualified security engineers in the industry, especially cloud-savvy ones. The security professionals (if any) at cloud organizations need to scale themselves through automation, cross-training of engineering/ops, and investment in technology to support their mission. Organizations can't just go hire the role because finding these unicorns is impossible for so many.

I strongly believe that the transition to DevSecOps is coming this year, just like the ops/eng transition to the DevOps model really arrived broadly a year or two ago. It doesn't make functional sense to exclude the team that built the product, infrastructure, and management structures from the security management and response events. In reality, they're best suited to front-end the common security challenges, leaving the security professionals to battlefield marshall the troops and only jump into the fight when absolutely necessary.

Developers need to be made aware of their responsibilities when it comes to Secure Software Development practices, security testing as part of their quality process, and the obligation to schedule and budget for third-party assessments of their code. It's no longer acceptable to sling code over the wall and let someone else do the response. The ability of the DevOps organization to view the whole picture and respond accordingly is invaluable.

Organizations have to push their security limits just like they pushed the ops/eng (DevOps) envelope. Faster detection of risks and threats, faster response, native integration with their CI/CD pipeline… all of these are the foundation of continuous security program that excel in cloud-centric organizations.