Software is eating the world. In the age of cloud computing, developers now own the security posture of your enterprise because the cloud is fully software-defined and programmable. If that scares you, it's because you haven't given your developers the tools to create secure systems. The good news is that you can, but you need to change how you think about security.
In the past, we thought about a "perimeter" that could be defended, but just reading the news for the last three decades or so shows that there was never really was a perimeter, and it could never be defended. Truly resilient systems are resilient all the way through, and the security perimeter was always a sort of Maginot Line, except vastly more expensive and even less effective.
A lot of people think that programmers are wild cards—that we like to break rules and play fast and loose. Simultaneously, many folks think we're masterminds who build a complete picture of the system we're creating in our minds and then sit down and write code. Both are false.
Programmers live in a world of constant experimentation and failure. Our compilers and tests tell us where we're wrong, most of the day, every day. We're good at responding to this by correcting our errors and getting our programs to work. In fact, we developers love overcoming the intrinsic complexity of our chosen profession and delivering working code back to our customers, peers, and bosses (in that order). Developers are experimenters and problem solvers, and security is just another problem. Sadly, to date it's largely been one that has been sequestered away from those most capable of solving it, but that's changing.
Traditional IT security has been about limiting and containing the work of developers and the behavior of users. Neither of these are effective, because unless developers have tools for building in security equal to the ones they have for building functionality the systems we're creating will be intrinsically insecure. When we try to contain users, the “users” we're most afraid of are themselves black hat programmers who are intent on attacking the system. Remember that programmers spend all day solving complex logic puzzles—your perimeter isn't going to be as complex as many other challenges we face. Unless we empower developers to solve security, we're fighting special forces with entrenchments and guard towers.
With cloud, for the first time in the history of computing, developers are in control of the computing infrastructure itself. It used to take a budget process, a large team, and months to build a complex network. I built three this morning, in a few minutes. This is because the cloud is fully software defined, and programmers automate things for a living. This is the opportunity in front of us—by giving programmers tools that live in our world and provide us the same feedback for solving security problems that our compilers and tests provide for functionality, we can leverage all that creativity to being secure and resilient as well as productive.
While you’re here…
Fugue is cloud security for developers, by developers. We make tools that bake security into the entire system lifecycle on the cloud. We’d love to show you how.
With Fugue, you can:
- Validate cloud infrastructure compliance for a number of policy frameworks like CIS Foundations Benchmark, HIPAA, PCI, SOC 2, NIST 800-53, ISO 27001, and GDPR.
- Get complete visibility into your cloud environment and configurations with dynamic visualization tools.
- Protect against cloud misconfiguration with baseline enforcement to make security critical cloud infrastructure self-healing.
- Shift Left on cloud security and compliance with CI/CD integration to help your developers move fast and safely.
- Get continuous compliance visibility and reporting across your entire enterprise cloud footprint.