A Data-Driven Blueprint to Scaling Cloud Operations Security (Part 1 of 2)

Major InitiativesSecure Product Lifecycle (SPLC)Security Automation

(This is part 1 of a 2 part series)

At Adobe, Cloud Operations Security involves helping to secure the infrastructure layer that typically spans the public cloud or the company’s data centers.  Cloud operations security helps find potential security gaps in the architecture, configuration and implementation of the cloud operational environments.  Conceptually this is the layer below application security and these security teams work in tandem to help secure the product offerings.

As we continually shape our security programs at Adobe, we want the programs to provide scalability, a high return on investment and risk prioritization.  These goals help ensure that security work is most impactful (for both the security and product teams), spans a breadth of products to drive an optimal velocity of risk remediation.

In this post you’ll learn the three facets of cloud operations security that we, as a central security team, leverage within Adobe.  The third facet (the data plane), I will specifically focus on since it’s a fairly untapped area in security which has a lot of potential to help meet goals around risk remediation.

The Human Plane

We have found that engaging with teams, architecturally deep dives and threat modeling helps provide discovery of potential security gaps that could not be obtained purely through tooling.  We have security researchers (security subject matter experts) who engage with product teams to review operational environments and log their findings in the team’s security tracking system for future remediation. The security researchers target security of platforms that have the largest impact to help enable security of its clients. The consultative engagement of enumerating potential risks is followed up by the Technical Program Management (TPM) team to help teams negotiate and drive down potential security risks in a timely manner.  The combination of the team talking through the details of their product, the security review done by the security researchers and then a combined effort by the TPM team and the product team to help track, prioritize and remediate potential risks typically has a high return on investment. This curated security roadmap is product-aware as the security researchers help factor in key features and architecture during these security review.

One way to speed up this process for a higher return is to automate the security program tasks to help scale across the organization.

The Tooling Plane

As cloud operational security is also about the individual servers and hosts that make up the actual operational environment, we have tooling in place to help monitor the state of the security at scale.  The monitoring part of tooling also contributes to the security tracking of the team.  Security monitoring includes observing the configuration of the public cloud infrastructure as a service (IaaS) layer, the host configurations/logs and scans for potential vulnerabilities.

The security team also pushes secure solutions that involve central public cloud account provisioning, enabling federated access to the cloud environments, tools for secure secret storage and secure access to the hosts. This helps teams more easily build security into their products and environments at scale.

The next post in this series will dive deeper into the “Data Plane” to discuss methods for gaining better operational intelligence out of your security data.

(continue to part 2…)

Mohit Kalra
Director, Secure Software Engineering, Operational Security

Major Initiatives, Secure Product Lifecycle (SPLC), Security Automation

Posted on 06-12-2019