Cloudy with a Chance of Breaches
Defining and publishing data privacy policies is great (and usually mandatory by law), but failing to enforce them and suffering a data breach can do irreparable damage to the reputation of a business. 40% of consumers report that they have chosen a competitor after learning that a potential vendor failed to protect its customers’ data. This rate increases among frequent online shoppers, B2B buyers, and Gen Zers.
With the cloudification of application infrastructure and the switch from firewalled on-prem environments to complex and distributed virtualised deployments, software engineers need to take a different approach to securing digital assets throughout the SDLC. The shared responsibility model of cloud computing services may alleviate the overhead of securing servers, networks, and the application itself. Still, it deprives us of the traditional level of control we once had over our application’s storage and runtime environments.
Since so many sensitive data assets are handled in a cloud environment, in one way or another, by developers, integrating the principles of digital trust into the software development process is vital for business continuity and resilience and compliance with regulatory requirements. But where do you even start? How can you build trust in a virtualised, mercurial, complex, and shared infrastructure?
Defining Digital Trust from a Developer Perspective
According to Deloitte, digital trust is “the confidence among customers, employees, partners, and other stakeholders in an organisation’s ability to create and maintain the integrity of all digital assets (including data/information, architectures, applications, and infrastructure).” The ISACA, a global professional association, defines digital trust as “the confidence in the integrity of relationships, interactions and transactions among providers and consumers within an associated digital ecosystem.”
However you choose to define it, digital trust aims to ensure transparency, accessibility, security, reliability, privacy, control, ethics, and responsibility. It is an innumerable currency that flows within and between business entities. For programmers, developing and maintaining the digital trust of application users and other stakeholders entails protecting digital assets involved in the software development lifecycle. Generally speaking, digital trust in software development is based on three key principles: authentication, integrity, and encryption.
- Identity authentication is the provisioning, maintenance, and management of accounts and resources for individual users, machines, workloads, containers, and services.
- Maintaining the integrity of digital assets requires monitoring, observability, and well-defined asset ownership.
- Encryption of all data in transit between endpoints ensures unauthorised parties cannot intercept and decode it.
These may sound familiar, as they are also some of the foundations of DevSecOps and the secure software development lifecycle – SSDLC.
Overcoming Cloud Trust Issues with DevSecOps
Another pillar of DevSecOps is automation, embracing tools like SAST, DAST, and AI-enhanced monitoring and observability tools. Eliminating unauthorised access to data, data leakage, and cloud misconfigurations throughout the SDLC while maintaining development velocity is no easy feat. But, it will ultimately cost you and the business much less than the potential repercussions of a successful breach.
Along with a shift left approach to software security ownership, there was another, quieter shift left – that of digital trust. Digital trust is key to business growth in a connected world and must be adequately developed and maintained as an organisational effort and shift in culture. For DevOps professionals, this means adopting innovative security tools and DevSecOps best practices while empowering coders to seamlessly and effortlessly integrate these technologies into their workflows with one ultimate goal in mind: nurturing digital trust with all the stakeholders in your SDLC.
Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. https://spectralops.io/ Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.)