Product and infrastructure engineering groups are usually not at all times aligned with the pursuits of safety engineering groups. Whereas product and infrastructure deal with driving enterprise worth and delivering sensible options, safety focuses on detection, prevention, and remediation, which might appear much less instantly invaluable. Like an insurance coverage coverage, it is not solely apparent why it is definitely worth the cash or effort when there hasn’t been an incident but.
As a substitute of the normal cycle of figuring out vulnerabilities, making use of remediation, and following up via case administration, I’ve discovered it way more efficient to advocate for safety options that additionally ship enterprise worth. For instance, utilizing OAuth and IAM-based entry as a substitute of static keys and encryption as a substitute of extra granular entry management can considerably simplify infrastructure, scale back complexity, and reduce the operational burden, making them very interesting to each product and platform engineering groups.
An Instance: Exchange Static Keys With IAM-Based mostly OAuth
Historically, entry between techniques is carried out by way of static key-secret pairs. Whereas widespread, this methodology typically results in reliability points as a result of complexity of managing key technology, rotation, and utility lifecycle. Platform groups should additionally make investments vital effort in monitoring and detecting anomalies to stop surprising key-secret compromises, corresponding to unintended publicity by way of Slack or GitHub. Even when builders report and remediate leaks, the rotation course of may be laborious. Worse, builders might contemplate it a low-risk leak, and the leak can go unreported.
Based on ISO/IEC 27001:2022, A.9.1:
Organizations should implement insurance policies and procedures to regulate entry to data, making certain it is just accessible to these with a legit want.
Platform groups have two selections:
- Add extra advanced entry controls and approval processes.
- Exchange static key-secret pairs with IAM-based OAuth.
The primary possibility may be tempting, because it includes merely including a vendor like ServiceNow with out a lot extra work. Nevertheless, the second possibility, whereas requiring extra implementation adjustments, is safer and reduces the operational burden on utility groups to replace secrets and techniques, restart pods, and guarantee secrets and techniques are picked up. In actual fact, a number of firms specializing in non-human id authentication, corresponding to P0 and Clutch, have lately emerged, highlighting the rising development in direction of safer and environment friendly authentication strategies.
This instance demonstrates how a distinct strategy to safety implementation can enhance safety requirements, simplify infrastructure structure, and improve total developer velocity.
The Case for Knowledge Encryption
Knowledge encryption is one other instance the place, though safety groups can not merely “add a vendor,” it considerably reduces complexity and implementation efforts throughout all platforms from each safety and structure design standpoints.
The standard knowledge circulation includes:
- Supply utility publishes knowledge
- Knowledge is distributed to a transport layer (e.g., Kafka, Kinesis)
- Knowledge is saved in a database (MySQL, Postgres), knowledge warehouse (Redshift, Snowflake), or knowledge lake (S3, Databricks)
Totally different options have completely different interpretations and implementations of “access control,” main platform groups to implement their very own variations. This typically leads to fragmented implementations throughout the corporate. For safety engineers, the extra fragmented the implementations are, the tougher it’s to implement standardized governance, management, and monitoring, in the end making the system much less safe.
Infrastructure/Vendor Auth and Permission Comparability
Conclusion
With knowledge encryption, entry is configured as soon as with a crypto key and might then be assigned to particular person workloads at completely different levels of the information circulation. This considerably reduces the complexities concerned in implementing and aligning permission insurance policies throughout completely different platforms. Encryption ensures that knowledge is constantly protected throughout all platforms, simplifying governance and management whereas enhancing total safety.