If you managed to attend ExpertsLive NL and saw my session, or have managed to catch the slides, you will have heard me mention a couple of times, my mantra for deploying cloud solutions. This is security first, cloud second. In this post, I want to dive into this concept a little more, explain what it means and how we achieve it.
My use of this phrase comes from the Microsoft phrase "Mobile First, Cloud First". This goes back a couple of years and this mantra has changed as consumers requirements change in the public cloud. What hasn't changed though is my philosophy that in any deployment of any service in any location security should always come first.
I could spend time sharing horror stories where security has not been discussed first and has had a real impact on an organisation. I had an instance on Monday this week actually where security was an afterthought in many ways, what was deployed was simply inadequate from a security perspective. However, while useful to share stories it does not achieve anything. The action is what matters, which is why I have my own little framework and steps to go through.
If anything, it's less of a framework, more a way of working. It's really quite simple, in that all you need to do is think of security before anything else. All employees in every organisation have a responsibility to maintain information security. No more so than as an IT Pro where we often have access to or can more easily expose without realising sensitive data. So here are some tips to get you thinking.
- Engage your information security team as early as possible, trust me, doing this now rather than engaging them afterwards presenting a list of risks they have to work through will make your job much easier.
- Listen to what they have to say. As security professionals, they offer a really valued opinion and view on the architecture of applications. Especially when it comes to compliance and regulatory requirements.
- Include them in your testing plan, this includes penetration testing. For me, your information security team are a key relationship in your deployment.
- Security over functionality, simply put that in my opinion, security should always come over functionality. If functionality will compromise security, then go back and think about that functionality, is it needed? Can we design it another way?
At this point, you now have security risks identified, hopefully, addressed or in progress at the very least. It's now at this point you can go forward and start the application design. Armed with this information, it should now be fairly easy to incorporate all this feedback and information from the security team to ensure you are delivering a secure solution, this is known as security by design. For those working with data on European Union subjects, it's also a key requirement of GDPR. It's actually nothing new as well, previously called privacy by design, the only change under GDPR is that it is now a legal requirement.
I hope by reading this rather wordy piece that you have a better idea of where I am coming from. In some future posts I will put this into practice with some more technical focused articles on what you need to look out for and how you can address then in Microsoft Azure.