Top 10 ways to achieve agile security

Find out how to enable developers to do what they wanted, when they wanted, as fast as they wanted

agile security
Credit: skeeze
Moving fast

From the barrage of cyberattacks on enterprises to new threat vectors within networks due to the move to the cloud, CIOs and CISOs have more to consider around cybersecurity than ever before. Cloud has brought considerable benefits to business: agility, scalability, cost savings; but more often than not, security can’t keep up. Achieving agile security in the cloud is a challenge many companies are beginning to face as they deploy cloud environments. Sami Laine, principal technologist at CloudPassage, reviews 10 guidelines from Xero, a cloud accounting platform for accountants and small businesses, which has helped developers release more than 1,400 new product features and updates securely over the last year.

 

agile security
Credit: Comfreak
Change the mindset of dev and ops teams

Developer and operations teams often see security as the anchor dragging productivity in the sand. While cloud has brought these two closer together, security is often an outlier. Introduce a new perspective that demonstrates how security can keep up with the pace of development, from day one.

agile security
Credit: skeeze
Introduce a DevSecOps approach to security teams

In order to move on projects and continuously iterate and deploy new products and solutions, Xero enlisted its security teams, calling them “security as a service,” allowing them to operate as a supplier within Xero’s walls. Xero also made sure its rapid response teams were running 24/7, and that its product security teams were aligned with the same trajectory as the rest of the organization.

 

agile security
Credit: Thinkstock
Standardize on core security principles

To achieve an “always on” culture while maintaining an agile and secure state, Xero aimed to execute on three core security principles that mapped back to DevSecOps: API-driven security, security at speed, and security on-demand.

 

agile security
Credit: Thinkstock
Adopt “API-driven security”

Xero steered away from traditional security systems managed by people logging into a console. By taking the human element away from the process, the company established a continuous integration methodology, which gave them consistency of delivery. For example, if a security policy needed to be adjusted, Xero did it once, eliminating inconsistency in the system or unnecessary outages.

 

6 rapid response army
Create a security rapid response team

Xero also realized fast response times are imperative to giving a tech company competitive advantage. To enact “security at speed,” Xero’s security teams implemented continuous measuring, testing and monitoring in an effort to iterate quickly.

 

7 cloud
Make use of the cloud

To achieve “security on-demand,” Xero also deployed cloud-based technology to ensure its security posture was never static. Xero also worked closely with other leading enterprise security vendors to build scalable commercial and technical models to allow for on-demand security systems. This gave Xero’s security teams the ability to scale infrastructure up and down as needed.

 

8 code driven security
Deploy a code-driven security infrastructure

Security shouldn’t have to be built up from scratch over and over. Xero’s deployment of a code-driven security infrastructure allowed for the repeatable and automated build and management of security systems.

 

9 visibilty fog search
Prioritize visibility and management

Xero wanted to pay for what it used rather than peak cloud usage. Its work with Amazon Web Services and other vendors allowed it to adopt an agile, responsive approach to infrastructure and to build dynamic commercial and support models. End-to-end visibility allows Xero to take a granular approach to managing configuration of its open-source tools that have helped the security team keep track of deployment, usage and management of cloud services.

 

agile security
Credit: Dean Hochman
Adopt elasticity and automation

As a central tenant of a defense in depth strategy, Xero monitors, detects and defends at the Host level. This strategy is central to Xero’s agile approach to security, from deployment through to operations.

 

11 support boardroom
Secure support from decision-makers

Buy-in and support from key decision-makers enforces intention. To solidify its support of agile security, Xero’s decision makers rounded up and demonstrated support from soup to nuts. Xero knew security and speed were not mutually exclusive; that if a security team isn’t agile, it can block the pace of an organization. Once the effort was supported from the top, Xero achieved continuous and secure innovation with agile security.

Are you agile enough to leave a comment on our Facebook page? Head there now.