Better collaboration between cloud engineers and security teams should grow naturally with cloud maturity. You want to get past security being seen as the “department of no” by the cloud team. Such efforts need to come from management and the teams themselves through old-fashioned relationship building, data sharing, and other cross-team efforts. With a little proactivity and cross-team communications, you can break down traditional silos to ensure both teams can best support the other when a breach occurs.
Here are some tips on how to improve collaboration between cloud engineers and cybersecurity teams:
1. Ask questions up front; talk early and openly
Wayne Anderson, a security architect in Microsoft’s Modern Work Office of the CTO, stresses that security—safeguarding system users’ trust and privacy—is the responsibility of everyone in the business. He recommends both teams to ask questions about how they can make security more effortless and less intrusive. Anderson also recommends that both teams discuss how to remove friction so that approvals and onboarding of critical resources such as budget, identity and access management, or domain assignment happen faster.
Look for venues such as team stand-ups and shared online channels to ask questions. If necessary, the teams should work out up front how to best ask questions of one another to save time and effort.
2. Define success for both teams to avoid conflict later
Both teams need an early definition of what “good” means, advises Anderson. The answer needs to account for your organization’s security criteria. Plus, the answer needs to satisfy the organization stakeholder setting the budget or approving the project to go forward.
“Build consensus early. Review the project concept and the services involved with the security team at a high level and find out the things that are immediate concerns,” he says. Planting a flag early gives both teams something to look back at later when reviewing concerns.
Resolving conflict is ultimately a business decision. So, one of the first and most critical things Anderson advises both sides: Don’t make security decisions a personal question. Work together to accelerate when items are missed. Focus on what the business needs and how to get there together, not the history of how the team or project got there in the first place.
3. Manage cloud account privileges tightly
Kayne McGladrey, CISSP and cybersecurity strategist at Ascent Solutions, advocates tight management over account privileges. It gives a granular view into your cloud team user accounts and privileges. It’s important that both teams understand and accept the need for controlling access up front.
When a cloud engineer has more administrator privileges than their job requires, an attacker can steal everything from data to virtual machines should that engineer’s credentials be stolen. McGladrey sees it as incumbent on cloud engineers to request only the privileges they require to do their jobs and no more.
Consequently, security teams should only grant the privileges necessary to the cloud team so they can do their jobs. The security team needs to have a defined workflow for requesting privilege escalation built into their organization’s ticketing system. Again, work with the cloud team on creating this process. Make it a discussion rather than an order.
4. Deploy information sharing tools
Venky Raju, a principal solutions architect/technology evangelist for ColorTokens, stresses the importance of using cloud-native and third-party tools that support information sharing between teams. He advises spending the time upfront to configure security and cloud management views that support your business and application perspectives.
Information sharing tools can take the form of a cloud management platform (CMP), security information and event management (SIEM) platform, or other security and backend management tools that deliver data and analytics both teams need to see during the software development lifecycle through deployment into operations
Also, keep open communications channels between the teams via Microsoft Teams, Slack, or other group chat platform, McGladrey advises. You can do that by setting up shared channels for cross-team or project communications. He also recommends each team appoint a go-to person to share and build the relationship between the teams.
5. Focus on data, not just the technology, to find common ground
“Both teams need to focus on the data, not the technology,” McGladrey advises. “As technologists, that might sound weird, but we don’t talk about technology breaches in the media.”
Companies are not fined because of technology problems, says McGladrey. They are fined because of data breaches that compromised personally identifiable information (PII) or personal health information (PHI) regulated under statutory data. McGladrey recommends that cloud teams be open and transparent about where the organization is storing its data and document the locations. If the security team is unaware of where the data is stored, they can’t collect any telemetry or deploy any complex security controls.
6. Keep a hardcopy of your security and cloud documentation
Raju advocates documenting your major security and cloud decisions and maintaining hardcopy versions of those documents accessible to both teams in cases of a ransomware attack or other intrusion that may cut your teams off from their online documentation stored on backend systems.
Even if you don’t have access to a full-time technical writers, Atlassian Confluence and other platforms let you export content to Microsoft Word-friendly formats that you can print out to hardcopy and place in a binder for your teams to access in cases of emergencies. The trick is to stick to simple formats and create a maintenance schedule or even a tabletop exercise that prompts your teams to not forget to update the hardcopy version of their docs.