Chapter 6. Cloud and DevSecOps

Our world is more connected than ever, and we rely on cloud infrastructure for practically everything. When you turn on your phone’s “airplane mode,” you quickly realize how very little can be done without connecting to the internet, cloud services, and cloud infrastructure. With the world so dependent on the connectivity to our supply chain, we are incapacitated when there is a failure, or exposed when there is a breach, in the systems and applications we depend on every day. Because there are so many paths for attack, every connection, piece of software, and byte of data is at risk in any cloud infrastructure and is thus a risk within our supply chains.

Cloud security requires much more than setting up servers to prevent intrusion by malicious actors. The responsibility for software security in a cloud environment goes beyond infrastructure security (Chapter 3), the secure development lifecycle (Chapter 4), and deployment management (Chapter 5). Designing a cloud environment or a cloud application requires additional knowledge in many topics such as network security, configuration, tokenization, patch management, threat detection, and more. The attack surface for cloud is much larger than software or firmware because you must consider all the different layers of a cloud environment that may have many owners and a variety of skill sets necessary to secure everything.

There are many types of cloud models, and you may have every type within your organization. ...