Enabling Developer Teams to Deploy New Applications without Overhead | Cloud Security Guidance

Enabling Developer Teams to Deploy New Applications

Prev Question Next Question

Question

An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules.

They want to enable their developer teams to deploy new applications without the overhead of this full review.

How should you advise this organization?

Answers

A. Use Forseti with Firewall filters to catch any unwanted configurations in production.

B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.

C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.

D. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The organization wants to enable their developer teams to deploy new applications without the overhead of a full network and security review. Therefore, the advice should aim to balance the need for speed and agility in the development process with the need for security and compliance.

Option A: Use Forseti with Firewall filters to catch any unwanted configurations in production. Forseti is an open-source security toolkit for Google Cloud Platform (GCP) that helps with access control, auditing, and compliance. With Forseti Firewall Rules Scanner, the organization can set policies to enforce firewall rules and prevent unintended network access. However, this solution may not be sufficient to catch all security issues during production as it only scans for firewall configurations. This solution can be useful but should not be the only control in place.

Option B: Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies. Infrastructure as code (IaC) enables teams to provision and manage infrastructure using code, which makes it easier to automate deployments and enforce policies. Static analysis of the IaC code can help to identify security risks and compliance violations early in the development process. This solution is more comprehensive and helps to address security issues early in the development process, reducing the risk of introducing vulnerabilities in production.

Option C: Route all VPC traffic through customer-managed routers to detect malicious patterns in production. Routing VPC traffic through customer-managed routers can provide additional visibility into network traffic and help to detect and prevent malicious activity. However, this solution may introduce additional complexity and cost and may not be necessary if other controls are in place. It can be a valuable solution in some cases, but it may not be the best choice for this particular organization.

Option D: All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms. This option is not suitable for the organization's goal of enabling developer teams to deploy new applications without the overhead of a full network and security review. It also introduces additional complexity by running production applications on-premises, which can be expensive and challenging to manage.

In summary, option B is the best advice for the organization. It provides a comprehensive solution that addresses security issues early in the development process while allowing for the speed and agility that the organization desires.

Prev Question Next Question