COMMENTARY: Security teams know very well that cloud technologies are fundamentally different. The traditional perimeter has disappeared. Any service, if misconfigured or compromised, can end up publicly exposed and discovered by automated bots scanning the internet.But while security teams understand this, operations and engineering teams might not.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Cloud procurement runs in a decentralized manner. Compute, storage, and networking services are now spun-up in isolation by different departments – accelerating development, but significantly increasing risk and complexity. It's not uncommon to discover shadow IT across business units, especially in fast-growing organizations that prize autonomy. Without central oversight, visibility suffers — and so does consistency in applying security policies.Security and development teams are not always on the same page. Here’s what security teams need to know about cloud development:Digital transformation has accelerated today, driven by AI. Cloud infrastructure no longer gets managed by a siloed IT department, it’s a strategic risk. Scaling innovation safely requires security that’s built in, not bolted on.This starts with understanding how teams are building and equipping employees with tools that support velocity, reduce friction, and close execution gaps. Embracing Secure-by-Design principles early on reduces risk, priming organizations to innovate and scale with confidence and agility, while maintaining the trust of users, partners, and regulators.Yogita Parulekar, founder and CEO, Invi GridSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- The cloud engineering team may not offer security help: Security often leans too heavily on cloud team members who are already under pressure to innovate. Today, responsibility has shifted from centralized IT to engineering. DevOps teams must now understand network design, IAM, firewall rules, and monitoring – which isn’t a given. A fintech firm’s misconfigured cloud storage bucket went unnoticed for weeks, leaking sensitive data because no team clearly “owned” the asset. These types of oversights happen more frequently than organizations admit, and the push to stay lean and ride the AI wave makes mistakes like this inevitable and costly. AI lives in the cloud and consumes data – security can’t be an afterthought.
- DevOps teams probably don’t have cloud security expertise: Engineering teams want to build, not manage compliance. But cloud security requires specialized skills, especially in multi-cloud environments. Talent is scarce, salaries are on-the-rise, and piecing tools together has become a heavy lift that few teams are trained for. One retail audit found only one-third of DevOps engineers understood cloud security best practices. Missteps were frequent, compounded by the sheer number of tools, each with different configurations, alerts and learning curves. Additionally, this reveals both that there are lots of gaps in tool sets that teams need to stitch together, and also creates scenarios that are ripe for costly, damaging mistakes.
- Take the time to understand Shift-Left vs. Secure-by-Design: "Shift-Left" emphasizes early testing, once code gets written. But Secure-by-Design starts with architecture — threat modeling, access controls, and encryption from the outset, before a single line of code gets written. CISA’s Secure-by-Design initiative has prompted vendors to enable strong defaults like MFA and audit logging, but these steps are often missing in infrastructure plans. We've seen apps with strong application security run on flat, overly permissive cloud networks – introducing unnecessary risk. Shift-Left focuses on detection: finding issues in code. Secure-by-Design keys-in on prevention: ensuring issues aren’t introduced in the first place.
- Secure-by-Design applies to everyone: Every organization deploying cloud workloads — not just vendors — must adopt Secure-by-Design practices. Teams are responsible for the stacks they assemble. Infrastructure-as-Code remains powerful, but compliance scanning using a policy-as-code scanner introduces friction and comes in the way of taking innovative solutions to market fast. Engineers must write and manage security policies, a responsibility that’s often seen as a distraction. Further, once in production, console changes that bypass these code checks invite drift and technical debt. The challenge gets amplified in growing organizations where multiple developers can make changes directly in the cloud console without standardized review. At a tech startup, a critical IAM change was made through the cloud console and bypassed infrastructure code governance entirely. The resulting privilege escalation issue was detected by external pentesters, fortunately – a not uncommon situation.
- Secure-by-Design for cloud takes hard work: Centralized orchestration helps. All major cloud providers offer well-architected frameworks, but translating them into real-world operations is a challenge. It demands coordination across engineering, security, and operations. Teams need a platform that unifies expertise, guidance and orchestration, from building secure landing zones to secure provisioning and drift monitoring and remediation. Siloed tools and manual reviews can’t keep up. It’s especially true when infrastructure spans multiple accounts, business units, or cloud providers. A biotech firm improved visibility and reduced incident resolution by 70% after centralizing orchestration, easing coordination and reducing rework. Teams more quickly identified misconfigurations and responded without back-and-forth delays. The potential payoff: stronger, faster security and a more resilient infrastructure.
- Speed matters: Organizations need frictionless security tools. Engineers don’t have time for clunky workflows. If security slows development, they will find a way to bypass it. That risk becomes greater in environments in which innovation speed defines competitive advantage. The most effective tools offer unified pipelines for secure provisioning, drift monitoring and remediation, and end-to-end life cycle management of cloud resources. Such products should also bring teams together: architects, security, engineering, and operations, all working on a single platform reduces time consumed in back-and-forth interactions through roll-based access control (RBAC-based) approval for workflows. It promises visibility for decisions taken that would otherwise get buried in ticketing systems, offering the critical governance layer that speeds up the process of secure provisioning. Embedding real-time infrastructure policy seamlessly into deployments accelerates adoption and security without adding meetings.
