Guardrails are designed to keep developers from unintentionally creating security issues in the cloud. Developers often move very quickly and are constantly under pressure to bring new products to market in the competitive digital era. The need for security governance and the speed of innovation often have two conflicting goals. The million dollar question is, can you provide these developers with the independence they need to spin up cloud environments in a matter of minutes, while ensuring that security is not compromised?
It is possible to find the right balance between governance and speed by providing guardrails for developers. Just as guardrails along the roadway keep drivers safe, guardrails can protect organizations from security risks in the cloud.
The Cost of Data Breaches in the Cloud is High
The 2020 Cost of a Data Breach report by the Ponemon Institute found that the average cost of a breach was $3.86 million, with the United States being the highest cost country in the world. According to the study, cloud misconfigurations (joint #1 with stolen or compromised credentials) were the most common causes of malicious breaches among organizations studied. Breaches due to cloud misconfigurations resulted in the average cost of a breach increasing by more than half a million dollars to $4.41 million.
Incidentally, Gartner also cited that there is more risk from cloud infrastructure misconfiguration than from workload compromise. Evidently, infrastructure security in the cloud is a serious matter. Infrastructure security should not be overlooked; this makes the decision between speed and governance hard. With guardrails for developers, you can strike the balance between taking into account security considerations and giving the freedom to developers to accelerate software innovation.
Choosing the right Guardrails for Developers
With the high cost of data breaches coupled with cloud misconfigurations being the #1 data breach reason, you should consider putting guardrails in place for your cloud infrastructure. Organizations will have different needs and establish their own set of guardrails, the following are a few sample guardrails for consideration.
- Always encrypt your data at rest
- Do not expose your database to the public
- Do not allow IAM permissions that can lead to privilege escalation
- Do not share the same IAM role for resources in the private and public subnets
- Ensure S3 buckets are not widely accessible or preferably they should be accessed through a VPC endpoint
Whatever guardrails you establish for your cloud infrastructure, when it comes to implementing and enforcing them, there are a few things to consider. Effective guardrails for developers should have these characteristics:
1. Shift Left Security
Many security teams only become involved late in the development cycle. Modern security programs are putting security controls earlier in the process. With infrastructure as code (IaC) being the best practice for spinning up resources using Terraform, AWS CloudFormation, Azure Resource Manager Templates, etc., you can place guardrails to guide developers toward security and prevent policy violations from the very beginning. Shift left security is not only good for reducing cyber risk, but also costs of fixing security issues.
2. Fully automated
Developers typically view security as inhibitors to innovation because they want a self-services infrastructure. While they can turn up resources in AWS or Azure in a matter of minutes, they don’t want to wait in line for a security review. Guardrails should be enforced automatically and be largely invisible to developers. They are always there to catch security issues and put developers on the right path. In other words, these IaC reviews should be fully automated, replacing the manual IaC review process.
3. Developer Friendly
The solution should be integrated with the developers workflows and tools they are already using, including Jenkins, GitHub, CircleCI, GitLab, etc.
4. Can’t be noisy
Noise is the number one challenge for implementing effective guardrails. Developers have often spent significant time and energy investigating security issues that turned out to be false positives. Noisy guardrails will only frustrate developers and cause them to be bypassed.
Guardrails for Developers – the Best of Both Worlds
Even with the best intentions, developers could still make mistakes and inadvertently introduce security risks in your cloud environments. Guardrails are a tool to protect your organization from security risks and it can be an effective tool to keep developers on the right path without sacrificing speed. However, the effectiveness largely depends on the implementation.