Find out how to enable developers to do what they wanted, when they wanted, as fast as they wanted
Moving fast
From the barrage of cyberattacks on enterprises to new threat vectors within networks due to the move to the cloud, CIOs and CISOs have more to consider around cybersecurity than ever before. Cloud has brought considerable benefits to business: agility, scalability, cost savings; but more often than not, security can’t keep up. Achieving agile security in the cloud is a challenge many companies are beginning to face as they deploy cloud environments. Sami Laine, principal technologist at CloudPassage, reviews 10 guidelines from Xero, a cloud accounting platform for accountants and small businesses, which has helped developers release more than 1,400 new product features and updates securely over the last year.
Change the mindset of dev and ops teams
Developer and operations teams often see security as the anchor dragging productivity in the sand. While cloud has brought these two closer together, security is often an outlier. Introduce a new perspective that demonstrates how security can keep up with the pace of development, from day one.
Introduce a DevSecOps approach to security teams
In order to move on projects and continuously iterate and deploy new products and solutions, Xero enlisted its security teams, calling them “security as a service,” allowing them to operate as a supplier within Xero’s walls. Xero also made sure its rapid response teams were running 24/7, and that its product security teams were aligned with the same trajectory as the rest of the organization
Standardize on core security principles
To achieve an “always on” culture while maintaining an agile and secure state, Xero aimed to execute on three core security principles that mapped back to DevSecOps: API-driven security, security at speed, and security on-demand.
Adopt “API-driven security”
Xero steered away from traditional security systems managed by people logging into a console. By taking the human element away from the process, the company established a continuous integration methodology, which gave them consistency of delivery. For example, if a security policy needed to be adjusted, Xero did it once, eliminating inconsistency in the system or unnecessary outages.
Create a security rapid response team
Xero also realized fast response times are imperative to giving a tech company competitive advantage. To enact “security at speed,” Xero’s security teams implemented continuous measuring, testing and monitoring in an effort to iterate quickly.
Make use of the cloud
To achieve “security on-demand,” Xero also deployed cloud-based technology to ensure its security posture was never static. Xero also worked closely with other leading enterprise security vendors to build scalable commercial and technical models to allow for on-demand security systems. This gave Xero’s security teams the ability to scale infrastructure up and down as needed.
Deploy a code-driven security infrastructure
Security shouldn’t have to be built up from scratch over and over. Xero’s deployment of a code-driven security infrastructure allowed for the repeatable and automated build and management of security systems.
Prioritize visibility and management
Xero wanted to pay for what it used rather than peak cloud usage. Its work with Amazon Web Services and other vendors allowed it to adopt an agile, responsive approach to infrastructure and to build dynamic commercial and support models. End-to-end visibility allows Xero to take a granular approach to managing configuration of its open-source tools that have helped the security team keep track of deployment, usage and management of cloud services.
Adopt elasticity and automation
As a central tenant of a defense in depth strategy, Xero monitors, detects and defends at the Host level. This strategy is central to Xero’s agile approach to security, from deployment through to operations.
Secure support from decision-makers
Buy-in and support from key decision-makers enforces intention. To solidify its support of agile security, Xero’s decision makers rounded up and demonstrated support from soup to nuts. Xero knew security and speed were not mutually exclusive; that if a security team isn’t agile, it can block the pace of an organization. Once the effort was supported from the top, Xero achieved continuous and secure innovation with agile security.
