Last Updated on March 26, 2025 by Arnav Sharma
Security has traditionally been approached as a collection of discrete components, with application security (AppSec), cloud security, and infrastructure security each operating independently. But with modern cloud-native applications, those walls are no longer helpful. Threats don’t care about silos. A vulnerability in code can easily turn into a cloud breach if security teams aren’t connecting the dots.
That’s where a horizontal security model comes in ie. the one that doesn’t just focus on isolated risks but correlates security across code, CI/CD pipelines, and cloud infrastructure.
Why Security Silos Are a Problem
Traditionally, security teams have been structured like this:
- AppSec: Focuses on secure coding practices, vulnerability scanning, and DevSecOps.
- Cloud Security: Manages cloud misconfigurations, IAM (identity and access), and compliance.
- Infrastructure Security: Looks at the network, endpoint, and on-prem security risks.
The issue? These teams often don’t talk to each other enough. The result:
- Security gaps – Fixing a software vulnerability doesn’t help if the cloud environment it runs in is wide open.
- Slow response times – Without a clear picture of how threats move between code and infrastructure, detecting and responding to incidents takes longer.
- Overlapping tools and processes – Multiple security teams often use different tools for similar tasks, leading to inefficiency.
As more organizations move to cloud-native architectures, these silos make security harder instead of better.
The Shift to a Unified Security Model
Instead of treating security as separate pieces, a horizontal security model ensures that risks are identified across the entire code-to-cloud pipeline.
Key Principles of a Unified Security Approach:
1. Connect the Dots Between Code, CI/CD Pipelines, and Cloud Risks: Security issues rarely happen in isolation. A small vulnerability in an application might seem harmless during development, but once it’s deployed, it could become a serious problem—especially if it’s running in a misconfigured cloud environment. This is why security teams need to see the bigger picture rather than just looking at individual risks.
For example, imagine a developer accidentally introduces a security flaw in their code. If security teams only focus on scanning the code and don’t check how it interacts with cloud infrastructure, they might miss the fact that a misconfigured cloud storage bucket is making that vulnerability even worse. The goal is to correlate security risks across different layers—from the code itself to how it’s built, deployed, and runs in the cloud. This way, organizations can stop threats before they become full-blown incidents.
2. Security as Code: Security used to be all about manual reviews, audits, and checklists—basically, a lot of paperwork and slow processes. But modern development moves too fast for that. Security needs to become part of the code itself—meaning security policies should be automated and built into the development process.
With Security as Code, security checks are written into infrastructure templates and CI/CD pipelines, ensuring that misconfigurations and compliance issues are caught before anything is deployed. Think of it like this: instead of having someone manually check if a door is locked every day, you install a smart lock that automatically secures the door whenever it’s left open. Tools like Azure Policy, Open Policy Agent (OPA), and Sentinel help make security automatic and scalable—so teams can focus on building, without constantly worrying about security slowing them down.
3. DevSecOps in Action: Traditionally, security teams swoop in at the last minute, reviewing an application right before it goes live and pointing out all the problems. Naturally, this frustrates developers because fixing issues at the end is time-consuming and expensive. DevSecOps changes that by making security a team effort from the start.
Instead of treating security as a separate, final step, DevSecOps encourages developers, security engineers, and cloud teams to work together from day one. This means developers write secure code from the beginning, security teams provide guidance and automated tools to help, and cloud engineers make sure everything stays secure in production. When security is collaborative and continuous, it feels less like a roadblock and more like a natural part of development.
4. Shift Security Left AND Right: A lot of companies focus on “shifting security left,” which means catching security issues as early as possible—ideally while code is still being written. This is a great approach because fixing a vulnerability at the development stage is much faster and cheaper than dealing with it after an application is deployed. But stopping there isn’t enough.
Security also needs to shift right—which means continuing to monitor and protect applications even after they’re live. Hackers don’t care if your security team caught 90% of vulnerabilities before launch—they’re looking for that one weakness left behind. That’s why organisations need ongoing monitoring, threat detection, and response systems in place. By combining both proactive (shift-left) and continuous protection (shift-right), security teams can stay ahead of threats at every stage.
The Tech Making It Happen
1. Cloud-Native Application Protection Platforms (CNAPP): Think of CNAPP as a security all-in-one solution. It combines:
- CSPM (Cloud Security Posture Management) – Detects misconfigurations in cloud environments.
- CWPP (Cloud Workload Protection) – Secures running workloads (VMs, containers, serverless).
- CIEM (Cloud Infrastructure Entitlement Management) – Manages identity and permissions to prevent over-privileged access.
Tools like Microsoft Defender for Cloud, AWS Security Hub, and Palo Alto Prisma Cloud fall into this category.
2. Infrastructure as Code (IaC) Security: Infrastructure is now written as code (Terraform, Bicep, CloudFormation), so security should be too.
- Pre-deployment security scans ensure that infrastructure is configured securely before it’s deployed.
- Policy enforcement tools like Azure Policy, Open Policy Agent (OPA), and Sentinel help enforce security requirements automatically.
3. SBOM (Software Bill of Materials) & Supply Chain Security: Software supply chain attacks are rising, so knowing what’s inside your software is key.
- SBOMs help track dependencies and detect security issues.
- Tools like GitHub Dependabot and Syft automate dependency tracking.
4. AI-Driven Threat Intelligence: Modern security isn’t just about finding vulnerabilities—it’s about understanding attack paths.
- Microsoft Defender for Cloud maps out how a vulnerability in your code could lead to a full-blown breach.
- MITRE ATT&CK helps security teams understand attacker behaviours to stay ahead.
How to Implement a Horizontal Security Model
- Unify your security tools: If you’re using separate tools for cloud security, AppSec, and DevOps security, consider integrated platforms like Microsoft Defender for Cloud or AWS Security Hub.
- Embed security into development workflows: Use GitHub Advanced Security, SAST/DAST tools, and CI/CD security scanning so developers get security feedback early.
- Automate security policies: Enforce security guardrails at every stage using IaC security, compliance automation, and runtime protection.
- Encourage collaboration across teams: Move beyond just AppSec, CloudSec, and InfraSec teams working separately—get them talking and working on security together.
Final Thoughts
Security isn’t something you can bolt on after an application is built—it has to be woven into every part of the software lifecycle. By breaking down traditional security silos and shifting to a horizontal security model, organisations can move faster, improve threat detection, and stay ahead of attackers.