At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?
At Xero, we take a customer-centric approach with our product teams. In preparing for my talk, I spoke with another Xero team member who shared his approach to security:
If he needs to encrypt at rest, it should be easy.
Self-service trumps having to request things from another team, which trumps having to raise a ticket. If it’s too hard, he would do it later.
If he needs to patch his instances for vulnerabilities, it has to be easy.
Ultimately, what he wanted was a faster response, fewer tickets, and more enablement for him and his teams. As a principal engineer on one of our product teams, these were now key requirements that he expected my security team to deliver.
Attendees of my AWS Summit presentation went home with four key takeaways, and we will explore them in this post.
Here are the four guiding principles to govern your organization’s security policies:
“Shared responsibility” includes your developers and security partners
Operational visibility is required to embrace DevSecOps
Flexible access management directly helps with the principle of least privilege
Automated compliance (or “Compliance as Code”) is the next big challenge
Let’s drill down into each of these items.
Shared responsibility includes your developers and security partners
It is important to be aware of the shared responsibility model under which public cloud providers operate. This model clearly defines the responsibilities of each party when operating in the public cloud. However, from a practical viewpoint, this model has now been extended even further to include your security partners, who also take on some of the responsibility