Medibank CISO’s key to a secure-by-design cloud

Alex Loizou Medibank

Security engineers should work “shoulder to shoulder” with DevOps teams and cloud engineers to effectively bake in security within cloud environments from the get-go and ensure migration objectives can be delivered at pace, according to Medibank chief information security officer (CISO), Alex Loizou.

Security teams’ penchant for “marking someone’s homework at the end of a project” is greatly challenged in DevOps-dependent programs (of which cloud migrations are one of many), said Loizou, speaking at the FST Future of Security Melbourne 2022 conference.

The continuous nature of the DevOps lifecycle – one with “no queue” and “no beginning nor end” – makes such post hoc security analyses and remediation next to impossible.

“The DevOps cycle is continuous, and that means security’s involvement must be continuous too,” Loizou said.

His own solution is to “top and tail” the DevOps function with security expertise, including both security architects and engineers.

This involves, he said, providing the “fixed capacity of both security architecture skills – at the top – and security engineering skills – at the tail – to each DevOps team”.

“Your security engineer is working shoulder-to-shoulder with your cloud engineers. They’re ensuring that what’s delivered is secure, [and helps] the cloud engineers to also uplift their security proficiency too.

“They’re effectively technical, in the weeds, working on consoles together.

“The security architect, however, is taking a different role: they’re zooming out, they’re looking at the big picture, they’re trying to ensure what’s delivered doesn’t accidentally impact a different scope.

“What they’re also trying to do is make sure dependencies are likewise secure. And if there are any patterns – which hopefully there are – they’re actually being followed too. “

For Loizou, security needs to be as continuous as the DevOps cycle, which does, he acknowledged, require organisations to commit added capacity (i.e. resourcing) to these teams.

“The flip side, though, is that if you do get this right, your DevOp teams will actually be able to operate at their native speed, rather than security coming in at the end. Then security starts to operate like a partner, as opposed to a roadblock.”

Offering his concluding remarks, Loizou stressed the importance of developing “a strong sense of empathy between your security and your cloud teams”.

“Eventually, they should start looking like one team.”

“Embed security in the DevOps lifecycle and be present and be present continuously.”