RESEARCH ON SECURITY ISSUES IN CLOUD ENVIRONMENTS AND SOLUTIONS USING THE "SECURITY AS CODE" APPROACH
Keywords:Security as code, Infrastructure as code, DevSecOps, DevOps, Cloud environments, software development cycle, security threats
"Security as code" is an approach to security organization in cloud environments, which is based on the method of integrating security controls, policies and best practices directly into the software development and deployment processes. The integration process includes the transformation of security requirements and configurations into software code, which in turn is considered an integral part of the full software development life cycle. By embedding security measures into code, scripts, templates, and automated workflows, an organization ensures that there are well-defined security controls that will be consistently and enforced across all operational phases of software creation (development, testing, implementation, support). This article examines the main problems of building security in cloud environments and their causes, also considers the components and principles of the "Security as code" approach, an implementation example with an explanation, the advantages of this approach, as well as the role of DevSecOps. This article aims to help readers understand the importance of the Security as Code approach as one of the most effective methods for managing security in cloud environments. As cloud environments continue to evolve and proliferate, and threats become more sophisticated, the Security as Code approach represents a core strategy for proactively protecting digital assets. This publication serves as a guide to understanding, implementing, and benefiting from a Security as Code approach, providing insight into the future cloud security landscape and the critical role of automation and integration in addressing today's security challenges. To support the research, an extensive review of literature and articles providing information on the Security as Code approach and its application was conducted.
Chhavi Adtani, Aaron Bawcom, Jan Shelly Brown, Rich Cracknell, Rich Isenberg, Kaz Kazmier, Pablo Prieto-Munoz, and David Weinstein (2022). Security as code: The best (and maybe only) path to securing cloud applications and systems: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/ security - as -code-the-best-and-maybe-only-path-to-securing-cloud-applications-and-systems.
Sarthak Das (2023). Security as Code 1st Edition.
Kim Carter (2017). Francois Raynaud on DevSecOps https://ieeexplore.ieee.org/document/8048652.
Rakesh Kumar, Rinkaj Goyal (2020). Modeling con-tinuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC): https: // www.sciencedirect.com /science/ article/abs/pii/S0167404820302406.
Xuejiao Zhang (2021). Cloud governance and compli-ance on AWS with policy as code: https://aws.amazon.com/ru/blogs/opensource/cloud-governance-and-compliance-on-aws-with-policy-as-code/.
Xuejiao Zhang (2020). Compliance as code and auto-remediation with Cloud Custodian.
Fausto Lendeborg (2021). Security as Code is the Future to Governing Risk: https://cloudsecurityalliance.org/blog/2021/10/19/security-as-code-is-the-future-to-governing-risk/.
Becki Lee (2022). Using Open Policy Agent (OPA) to Apply Policy-as-Code to Infrastructure-as-Code htt-ps:// cloudsecurityalliance.org / blog/ 2020 /04/02/ using - open - policy-agent-opa-to-apply-policy-as-co¬de-to-infrastructure-as-code/.
Ricardo Ferreira (2022). Policy Design in the Age of Digital Adoption: Explore how PolicyOps can drive Policy as Code adoption in an organization's digital transformation 1st Edition.
Saif Gunja (2023). Shift left vs shift right: A DevOps mystery solved: https://www.dynatrace.com/news/ blog/what-is-shift-left-and-what-is-shift-right.
LicenseAuthors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).