When Accenture’s cloud journey began in 2015, the company knew some significant changes were coming — and for the better. In the first year, the company expanded its cloud footprint from 9% to 90% for all its business applications after it realized cloud could reduce the time and effort needed to design, build and deploy applications at scale and speed. Within the first three years, CSO 50 2023 honoree Accenture saved more than $20 million.
“We took an old-school, pre-industrial age approach to securing these objects. Rather than creating a proper industrialized process that made security a part and parcel of the development lifecycle from start to finish, it was very bespoke,” Accenture CISO Kris Burkhardt tells CSO.
This method worked initially but quickly became inefficient as Accenture’s cloud security needs became a more complex process across thousands of cloud accounts with millions of resources being deployed. It involved multiple stages, multiple gates and people from multiple teams. The problem became further exacerbated by Accenture’s multi-cloud environment.
Accenture builds its own security suite
Burkhardt explains that a tailored approach to security was, however, the best option at the time, as there was a lack of readily available security cloud solutions. “There weren’t providers out there who offered security suites and certainly not cross-cloud security suites, so we had to create our own,” he says. “We did it to get by and it worked okay, but as our developers grew and were able to take advantage of the flexibility and the ease of procurement of VMs and the cloud, we realised we had to do something different. We were just not able to keep up with the rapid pace of our developers.”
Some of the specific security issues that arose included ensuring only relevant users had access and privilege to certain data, objects, codes or applications. Burkhardt added the trick was also about “keeping up with the flow of objects and the two or three unique things about every one of those primary building blocks that come with them”.
The complexities around cloud security also became a barrier for Accenture’s developers. Security was often an after-thought; developers only thought about security at the end and perceived it as a less important step before a product could go live. “We want our developers to spend their creative energy on their own projects, not on cloud security; cloud security should just work for them,” Burkhardt says. “We were concerned we were going to slow them down as we’re really in the business of helping our developers be more successful by keeping them secure in the easiest way possible. We realised to keep going at pace and to remain competitive or be more competitive, we had to enable faster controls.”
Unfortunately, it was a problem that Burkhardt admits that not one — not even him — saw coming. “When you no longer have to plan to procure the right size hardware or, when you no longer have to think about capital investments and you can go at pace and pick whatever VMs you need, whatever cloud objects you need at the speed and scale that you can achieve intentionally or unintentionally is incredible,” he says. “Securing the size of that and really understanding how to keep up with all that inventory, it was I think a challenge that nobody really understood was going to happen.”
Simplifying security through centralization
Once it realized the problem was only mounting, Accenture investigated potential solutions it could adopt to allow the company to streamline its entire cloud security compliance process and sustain it for the long term. The solution it adopted was a new lean process involving a partnership with Palo Alto Networks, one of Accenture’s long-term go-to-market partners, and the adoption of Prisma Cloud.
Accenture developed a virtual cloud control factory to support five major, global cloud infrastructure providers and enable reliable inventory; consistent log and alert delivery to support security incident detection; and predictable, stable, and repeatable processes for certifying cloud services and releasing security controls.
The factory features five virtual “departments”. There’s research and development, which performs service certification, control definition, selection, measurement, and continual re-evaluation; the production floor designs and builds control; quality assurance tests the controls; shipping and receiving integrates controls with compliance reporting tools; and customer service provides support to users after a control goes live.
“What we decided to do was centralize that cloud control development, get all the needs into one place, start organizing them in a way that we could run them through a factory and get them out there so people can use common controls, common architecture that had a chance of keeping up with [our engineers’] innovation sitting on top of the [major cloud platforms’] innovation,” Burkhardt says
Shaping security controls The Toyota Way
The decision to streamline its security controls follows The Toyota Way (TTW), a management philosophy based on 14 principles. Accenture has used it to help define the processes and tools necessary for its controls and cloud security compliance.
“[TTW] is a way of manufacturing. The reason we were interested in a manufacturing-style approach is because we needed to industrialize our security control production,” Burkhardt says. “Toyota is probably one of the more interesting companies to study in terms of quality of manufacture, speed and scale … we knew we needed to manufacture, if you will, these controls at scale. We wanted to be good at it, so rather than try to reinvent the wheel, we decided we better look at some other people who are really good at manufacturing at scale.”
Burkhardt explains some of the TTW principles that Accenture has put into practice include ensuring everyone involved in the cloud security compliance process can contribute so there is continuous improvement made to the process. The company has established a user acceptance board where developers and engineers are present, and anyone can raise their voice and suggest improvements.
Another principle, Burkhardt explains, is around building strong relationships up and down the supply chain from vendor to end customer. “We spent a lot of time seeking to understand how our developers were going to use objects in general and what ways we’re going to work for them from a security control perspective, and what ways were not,” he says. “We did not want to be one of these ivory tower security organizations that just dictated standards from above. Instead, we wanted to help our developers, so we tried to understand how they use it. Similarly, we wanted to partner with our vendors to develop what we needed and get them involved and have them understand what we’re trying to achieve.”
Standardization and efficiency are also two other key principles behind the TTW that Burkhardt highlights. “Rather than having different development teams try to address these standards in different ways that work for their area, we wanted to have a team that would create controls that were going to work for everybody in a way that developers expect it and in a way that they could count on,” he says.
Designing with security from the start
Since introducing the cloud control factory and Prisma Cloud, it has enabled reliable inventory; consistent log and alert delivery to support security incident detection; and predictable, stable, and repeatable processes for certifying cloud services and releasing security controls.
As a result, Accenture has more than doubled the number of certified services each month, resulting in an 84% increase in release controls in a single year. Additionally, the time between releases has reduced by 50%.
Other notable benefits, according to Accenture, include increased production of critical cloud controls and compliance checks and streamlined business operations by reducing the time and resources required for incident response and remediation. The adoption of the new methodology and platform also supports the next phases of Accenture’s plans to automate most of its security processes, from threat modelling to control deployments to preventive measures, the company says.
These days Accenture’s developers can also focus on their main tasks of solving business problems and innovating, without having to think too hard about security. There is now a separate team responsible for ensuring any controls the cloud control factory releases are compliant and secure.
“[Developers] are happy that they’re going to get use approved-cloud objects faster because we can approve them faster, so we can get the controls out faster,” Burkhardt says. “They’re happy they don’t have to think too hard about integration; they know that’s going to be done for them. It’s just one less thing for them to worry about. This is one of those areas where no matter how well you do security, your job is to be in the background and be invisible, so as long as we’re invisible and not stopping [our developers], that’s the best compliment in the world.”