Today, data breaches are becoming all too common. Whether due to human error, technology failure or malicious attack, data breaches are increasing with alarming scale and frequency.
According to CRN[1], breaches are not only increasing but changing in nature. The targets of breaches have gone beyond government agencies and fortune 500 customers to include third-party contractors and data aggregators, security vendors, and solution providers themselves.
Last November, for instance, Uber disclosed that hackers had stolen information from up to 57 million rider and driver accounts. In September, U.S. based firm, Equifax, revealed a huge data breach due to a vulnerability in a website application, which affected 143 million customers. This particular breach included names, birth dates, social security numbers, addresses and even driver’s license numbers. [2]
In an attempt to resolve the issue, rigorous new data regulations in Europe and Australia put the security onus on organisations, with strict penalties now in place for those that fail to protect their data.
In Europe, the General Data Protection Regulation (GDPR)[3], which was introduced on 25 May 2018, affects all Australian businesses which are established in the EU, offer goods and services in the EU, or monitor the behaviour of individuals in the EU. In Australia, legislative amendments made on 22 February 2018 have resulted in the Notifiable Data Breaches Scheme (NDB), which affects any Australian business governed by The Privacy Act 1988 and which holds or processes customer data.
Under both the GDPR and the NDB scheme, businesses must now develop more transparent information handling practices and business accountability and implement measures to ensure compliance with a very rigorous set of privacy principles. Importantly, they must also take a security-privacy-by-design approach to compliance, or risk serious fines – up to $2.1 million via the NDB and up to €20 million or 4% of annual worldwide turnover via the GDPR.
In short, if data held by an organisation is exposed in a way that causes serious harm to an individual, the organisation pays the price.
Everything in Cloud leverages a shared responsibility model. Cloud vendors such as AWS and Azure take responsibility for securing their platforms and managed service providers take a similar responsibility for the architectures and operating systems that they provision and manage on those clouds. Security at the application layer is generally still the responsibility of the organisation that owns it.
Today, more and more organisations are moving away from a rigid approach to development, where everyone has a pre-defined role and tasks to complete towards a more fluid Agile and DevOps culture. An agile methodology is built on development teams working with the business to scope and priorities work in an iterative way.
DevOps is the practice of having development and operations working closely together, in one team, removing friction from the deployment process. With a DevOps culture, an organisation will build Agile cross-functional teams, resulting in end-to-end application deployment becoming a shared responsibility. However, as IT and development become increasingly complex, fast-paced and Agile, the traditional approach to security – where an organisation would design an application or system, test it, secure it, and then launch it – becomes slow and cumbersome. Imposing traditional Waterfall controls, security and governance is often seen as a roadblock and can lead some to circumnavigate such measures entirely. This harks back to the days of shadow IT with the first introduction of public cloud.
How do you remediate these challenges?
The answer is DevSecOps.
With DevSecOps, whilst security is everyone’s responsibility, and all have visibility of the security processes, there is still the ability to provide governance. As the application of security controls are defined in pipelines and code, there is the opportunity to source a minimum viable security product. However, we believe that not only should hardening or controls be applied from templates, they should also be tested by using a combination of analysis and appropriate work as part of the automatic gating of deployable features.
Leveraging this approach, security can be highly iterative, with DevSecOps engineers constantly monitoring, finding and resolving potential defects before attackers do. Just as with workplace safety, the highest level of control for security risks is to eliminate the exposure before it occurs. Regular vulnerability testing as part of a DevSecOps regime can identify real or potential threats and create a continuous proactive defence in depth posture when combined with penetration and Intelligence-based security testing.
How should you approach DevSecOps?
DevSecOps requires a team who are dedicated to its success, continuous effort, and a focus on the future. This is something that AC3 design and deliver through all of our offerings across Consulting, Delivery, and Support.
If your organisation is interested in taking a more proactive stance on defence, and becoming DevSecOps enabled, the first step is to talk to an expert partner like AC3.
Get in touch with our team today.
Sources:
_[1] https://www.crn.com.au/gallery/the-biggest-data-breaches-of-2017-480099/page1
[2] https://www.crn.com.au/gallery/the-biggest-data-breaches-of-2017-480099/page1
[3] https://www.oaic.gov.au/resources/engage-with-us/consultations/australian-businesses-and-the-eu-general-data-protection-regulation/consultation-draft-australian-businesses-and-the-eu-general-data-protection-regulation.pdf_