The Values Behind Scaling Cloud Native Security at Grafana Labs

# The Values Behind Scaling Cloud Native Security at Grafana Labs ![rw-book-cover](https://grafana.com/static/assets/img/blog/grafana-security-user.png) URL:: https://grafana.com/blog/2021/12/20/the-values-behind-scaling-cloud-native-security-at-grafana-labs Author:: Thomas Owen ## Highlights > TL;DR our security manifesto > • **Bias to action** - Do both “something now” and “refine later,” experiment fearlessly, test repeatedly, iterate and fail quickly. > • **Enable ownership, create accountability** - Key DevOps values of ownership and accountability cannot operate at scale without enablement, which is our job. > • **Serve the user where they live** - Don’t expect an engineer to log into a security tool; bring the insights to them to drive outcomes. > • **Share openly and default to transparency** - Grafana has an incredible culture of autonomy, transparency, and collaboration. Alway use the hivemind. > • **Accurate data, actionable insights** - If you have 50,000 findings, you have none. Help teams understand what to focus on, when, and why. > • **Beautiful experiences** - Our tooling and process definition of “done” includes “does this spark joy?” > • **Dogfood and open source** - Solving security at scale is an observability problem. Build our solutions out of and into the Grafana Stack, supporting the open source community. (And don’t consume open source without trying to give back!) > • **Operational benefit drives compliance** - Security first, then compliance. > • **Security is a product function** - If we solve a problem for ourselves, why wouldn’t we also offer the solution to our users and customers? > • **Minimum viable security controls** - Always implement the necessary security controls, only ever implement the necessary security controls. ([View Highlight](https://read.readwise.io/read/01fsy3hgsceqje4j1aywbqhaxj)) > We will experiment fearlessly without worry over failure. ([View Highlight](https://read.readwise.io/read/01fsy3j0gnd3mbqtwwqv6yt0mj)) > We will actively support and develop autonomy and engineer-led design through a focus on decentralization and creating self-service tools, processes, and experiences ([View Highlight](https://read.readwise.io/read/01fsy3jdwce6gfg91f8tb6ws4d)) > Security is only one of the non-functional requirements that engineers and R&D teams own. We do not expect engineers and service/risk owners to log into security tools in order to achieve our shared aims. We will abstract our users from the underlying tools and will serve actionable data and insights to engineers and owners in their daily systems. We will dogfood the Grafana Stack wherever possible to achieve this. Our primary intent is for engineers to never have to log into security-specific tooling — unless they want to, in which case we want to ensure they always have access when needed. ([View Highlight](https://read.readwise.io/read/01fsy3jx9v2n3vzzc73qkkzgbn)) > We will commit to honest, open, and pragmatic discussions where any Grafanista can comment on, critique, or suggest solutions to problems we’re facing or actions we’re taking. Whenever we start a new project or plan to make a significant change, we will provide an opportunity and encourage open discussion about our plans. ([View Highlight](https://read.readwise.io/read/01fsy3k212jr7x249feyphmnpd)) > We will publish and regularly update a list of projects we are working on, what their objectives and intentions are, and what our progress is. We invite continual and open feedback based on this list. ([View Highlight](https://read.readwise.io/read/01fsy3k57ev8zswb4yd9zhtqkp)) > Security shouldn’t be an enterprise solution; ours is a big tent philosophy. Whilst we want to cherry-pick from the best of breed vendors who seem to be making siloed and market-grabbing platform plays, we will build on these towards something that serves ourselves and users of all sizes. As we mature we will take a product-led approach to security improvement and feature development, treating all security requirements (customer, internal user, state of the art, risk tolerance, compliance, and regulation) as user requirements. ([View Highlight](https://read.readwise.io/read/01fsy3kvq5yqhw8stm1sp4btb7)) --- Title: The Values Behind Scaling Cloud Native Security at Grafana Labs Author: Thomas Owen Tags: readwise, articles date: 2024-01-30 --- # The Values Behind Scaling Cloud Native Security at Grafana Labs ![rw-book-cover](https://grafana.com/static/assets/img/blog/grafana-security-user.png) URL:: https://grafana.com/blog/2021/12/20/the-values-behind-scaling-cloud-native-security-at-grafana-labs Author:: Thomas Owen ## AI-Generated Summary In my first weeks as Chief Information and Security Officer, I met our team, faced our first 0day, and created Grafana Labs' security manifesto. ## Highlights > TL;DR our security manifesto > • **Bias to action** - Do both “something now” and “refine later,” experiment fearlessly, test repeatedly, iterate and fail quickly. > • **Enable ownership, create accountability** - Key DevOps values of ownership and accountability cannot operate at scale without enablement, which is our job. > • **Serve the user where they live** - Don’t expect an engineer to log into a security tool; bring the insights to them to drive outcomes. > • **Share openly and default to transparency** - Grafana has an incredible culture of autonomy, transparency, and collaboration. Alway use the hivemind. > • **Accurate data, actionable insights** - If you have 50,000 findings, you have none. Help teams understand what to focus on, when, and why. > • **Beautiful experiences** - Our tooling and process definition of “done” includes “does this spark joy?” > • **Dogfood and open source** - Solving security at scale is an observability problem. Build our solutions out of and into the Grafana Stack, supporting the open source community. (And don’t consume open source without trying to give back!) > • **Operational benefit drives compliance** - Security first, then compliance. > • **Security is a product function** - If we solve a problem for ourselves, why wouldn’t we also offer the solution to our users and customers? > • **Minimum viable security controls** - Always implement the necessary security controls, only ever implement the necessary security controls. ([View Highlight](https://read.readwise.io/read/01fsy3hgsceqje4j1aywbqhaxj)) > We will experiment fearlessly without worry over failure. ([View Highlight](https://read.readwise.io/read/01fsy3j0gnd3mbqtwwqv6yt0mj)) > We will actively support and develop autonomy and engineer-led design through a focus on decentralization and creating self-service tools, processes, and experiences ([View Highlight](https://read.readwise.io/read/01fsy3jdwce6gfg91f8tb6ws4d)) > Security is only one of the non-functional requirements that engineers and R&D teams own. We do not expect engineers and service/risk owners to log into security tools in order to achieve our shared aims. We will abstract our users from the underlying tools and will serve actionable data and insights to engineers and owners in their daily systems. We will dogfood the Grafana Stack wherever possible to achieve this. Our primary intent is for engineers to never have to log into security-specific tooling — unless they want to, in which case we want to ensure they always have access when needed. ([View Highlight](https://read.readwise.io/read/01fsy3jx9v2n3vzzc73qkkzgbn)) > We will commit to honest, open, and pragmatic discussions where any Grafanista can comment on, critique, or suggest solutions to problems we’re facing or actions we’re taking. Whenever we start a new project or plan to make a significant change, we will provide an opportunity and encourage open discussion about our plans. ([View Highlight](https://read.readwise.io/read/01fsy3k212jr7x249feyphmnpd)) > We will publish and regularly update a list of projects we are working on, what their objectives and intentions are, and what our progress is. We invite continual and open feedback based on this list. ([View Highlight](https://read.readwise.io/read/01fsy3k57ev8zswb4yd9zhtqkp)) > Security shouldn’t be an enterprise solution; ours is a big tent philosophy. Whilst we want to cherry-pick from the best of breed vendors who seem to be making siloed and market-grabbing platform plays, we will build on these towards something that serves ourselves and users of all sizes. As we mature we will take a product-led approach to security improvement and feature development, treating all security requirements (customer, internal user, state of the art, risk tolerance, compliance, and regulation) as user requirements. ([View Highlight](https://read.readwise.io/read/01fsy3kvq5yqhw8stm1sp4btb7))