As companies continue to migrate their business to the cloud, nothing is more important than safeguarding that infrastructure, especially with the steadily increasing number of threats. One study notes that hackers attack every 39 seconds, on average 2,244 times a day. The Ponemon Institute reports that the average cost of cybercrime for companies in 2018 was $13M, an increase from $11.7M the previous year.

At Adobe, we scale security through automation. This is an effective way to monitor our infrastructure and detect security drift. As a part of our next generation security automation and tooling, we really wanted to challenge ourselves on how to improve our efforts further. This required a re-evaluation where, after reaching a level of maturity, we are now shifting gears to advance to the next level of security scale and move from reactive remediation to proactive prevention. In other words, we wanted to ‘secure the public cloud by default’ through enhanced policy and controls that reinforce our existing cloud protections. Upfront prevention is the essence of our next generation automation that detects security gaps during provision times and helps prevent teams from creating insecure cloud resources.

We aim to automate as much as possible to continue to enhance Adobe’s cloud security and configuration standardization. This is especially needed as Adobe’s cloud footprint continues to grow and involves multi-cloud environments and technologies such as containers and orchestrators. Working to secure the public cloud by default targets reducing human error and providing assurance that potential weaknesses are protected at multiple layers. 

The Adobe cloud footprint is multi-cloud, including public/private across different cloud providers. Our approach is to establish security into the core of our cloud processes to proactively stop potential issues that could occur within the complex security landscape. 

Using the Operational Security Stack as Foundation 

In order to enhance monitoring and protections for our multi-cloud operations, we looked to our foundational security infrastructure, what we call the Operational Security Stack, for opportunities to unify and extend our security resources. This allowed us to build off existing tools and identify immediate areas of opportunity. 

The Operational Security Stack is a unified collection of security tools, that we offer as a security team, helping to solve common security problems to better protect Adobe’s environments and data. The stack is deployed company-wide to help bring security visibility into operational environments for reactive and proactive security teams. 

The stack is set up with two main principles, standardization and prevention. With standardization, consistency across our security tools and processes was key to scaling our efforts throughout the company and also eliminating potential blind spots for the team. With prevention, the goal is to avoid unintentional mistakes and to centrally provide tools to solve common security problems without teams having to duplicate tooling efforts. 

The stack itself is organized with monitoring at the forefront, followed by workflowinfrastructure and process. The monitoring tools we use help scan for potential vulnerabilities and open ports, detect security drift in hosts and cloud configurations, and monitor the security health of Adobe’s infrastructure. Additionally, the stack also helps our security team identity areas for opportunity and update our processes in reporting in a timely manner. 


Description automatically generated

The workflow in the operational security stack allows our teams to implement security tooling and policies efficiently, securely provisioning new accounts and providing them with hardened operating system images, secure login to their infrastructure, tools to store secrets securely and more. We are extending this by further implementing our secure-by-default settings – this serves as our policy-based security controls in which the security controls are tested against the configuration of new resources being spun up in the cloud.

Public Cloud Security Controls

We cannot rely solely on individuals and manual memory to ensure every setting in these complex public cloud environments are operating error-free. That’s why we automate, standardize and put in place system level controls that operate effectively when dealing with the numerous intricacies of cloud environments.  

This is where our public cloud security controls come into play – this helps scale and reduce the attack surface. We’ve seen a number of benefits including its ability to proactively prevent the creation of cloud resources that would violate security controls and lessening engineers’ time needed to resolve security tickets. These controls and tools bring automated decision making and remediation into the security process where needed most, allowing our teams to focus on expanded ways to strengthen our security posture, while the more mundane tasks like filling out tickets are taken care of.

Automation, system level controls and standardization are key areas to focus on for the foundational framework. The security landscape is ever-changing and continually complex, so it is imperative to implement scalable and proactive security approaches such as having proper controls in place to help secure the cloud-by-default and strengthen the company’s posture.

We employ proactive, automated measures to increase cloud security awareness and configuration at Adobe. Security is of the utmost importance and will continue to be part of the foundation behind a company’s success. This is just one more way Adobe helps our customers deliver trusted digital experiences to their users every day.

Mohit Kalra
Director, Secure Software Engineering

Major Initiatives, Secure Product Lifecycle (SPLC), Security Automation

Posted on 10-29-2020