Security is the most sensitive aspect of development, especially when the target platform is a public cloud such...
as Amazon Web Services. To be effective, security needs to be part of the platform and systemic to the application. The core question: Should the burden of who must secure AWS fall on security administrators, developers or split between both teams?
The cloud security model is typically based around Identity and Access Management (IAM); thus, security is more fine-grained and often part of the application itself. Security is a priority, given that company assets, including data and applications that interact with other data, reside in the public clouds. The use of DevOps means that updates occur at a rate of several times a week; it's important to automate vetting of the software to assess security vulnerabilities.
Administrators should focus on IAM as a business driver, as well as a security technology. Those who deploy IAM must focus on the core business processes, as well as the details around security. This is a recent shift, as security was previously seen as more of a geeky concept, and the business drivers were largely unconsidered.
Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives. It's easy to predict that IAM will be a part of more than 50% of the existing applications that migrate to the public cloud, but almost 90% of new applications built on clouds.
What's more, the use of IAM within cloud application deployments will backfill into the enterprise, as enterprises modernize security approaches and technologies to align with the use of public clouds. In many cases, the IAM will be provided as a service back into the enterprise. This leads to the concept of cloud-delivered IAM and, consequently, the concept of centralized identity management.
Security administrators and developers need to work closely together to properly deal with the complexities of IAM, dividing the responsibility between both groups. The best way to do this is to create a position in the DevOps organization (security development) to focus solely on security within applications.
The person(s), who would work closely with the cloud security administrators to secure AWS, will speak with the voice of security in the scrums and reinforce the importance of building security into the applications. He or she should also review code and create the scripts that test security.
Developers need to take the responsibility for securing their own applications. However, they will receive direct assistance from security development as to consistent coding practices and technology that will be employed within the DevOps organization. This balances the burden of security across the developers, security development and security administration.
Testing AWS cloud application security
Using DevOps to improve AWS security