Existing cybersecurity architectures and operating models break down as companies adopt public-cloud platforms. Why? Almost all breaches in the cloud stem from misconfiguration, rather than from attacks that compromise the un So cloud requires secure configuration of applications and systems. But traditional cybersecurity mechanisms were not designed to ensure secure configuration or operate at the tempo required to capture the benefits of agility and speed that business leaders expect. As a result, as companies try to capture cloud value, they must adopt new security architectures and processes to protect their cloud workloads. Cloud migration can increase not only the delivery of business value but also the security of their systems and applications compared with the old on-premises world.
“Security as code” (SaC)1 has been the most effective approach to securing cloud workloads with speed and agility. At this point, most cloud leaders agree that infrastructure as code (IaC) allows them to automate the building of systems in the cloud without error-prone manual configuration. SaC takes this one step further by defining cybersecurity policies and standards programmatically, so they can be referenced automatically in the configuration scripts used to provision cloud systems and systems running in the cloud can be compared with security policies to prevent “drift”2 (Exhibit 1). If the business, for example, sets up a policy that all personally identifiable information (PII) must be encrypted when it’s stored, that policy is translated into a process that is automatically launched whenever a developer submits code. Code that violates the PII policy is automatically rejected underlying cloud infrastructure.
