Ready. Steady. Cloud.
The pace of application modernization is at an all-time high as organizations continue to strive toward their digital transformation goals; some long standing, while others spurred on by the COVID-19 pandemic. While the subtleties may differ, the general industry consensus is that the pre-COVID approach to remote work and on-premises software deployment will never be the same again.
During the last few years, we’ve seen a remarkable increase in the adoption of cloud computing, and whether it’s simply the adoption of a new SaaS platform or a lift-and-shift approach of applications onto IaaS services or even a full re-architecting and modernization approach into PaaS, CaaS and FaaS, it is evident that the promises of cloud have become more attractive to all and are steadily becoming a reality. Today we’re all on a journey to cloud.
The term ‘cloud’ can be confusing to some, when we say we’re on a journey to cloud – what do we actually mean? Is adopting a SaaS-based productivity suite like Office 365 or Salesforce really cloud? If we deploy our workloads onto another provider’s platform or into their datacenter, are we deploying to the cloud? What about the adoption of container-based technologies and orchestration platforms on-premises, is that considered cloud? Essentially, yes! Although this is quickly becoming an area of hot debate within the industry, in each of these cases we’re talking about some form of cloud computing. Each have their own nuances and offers the promise of cloud in slightly different ways, but the ultimate journey to cloud to cloud is more about the desired benefits rather than the destination. So, the approach need not necessarily be the same for all and our goals will almost certainly be different.
It’s incredibly easy to start your journey to the cloud – with public cloud providers all you need is an email address and a credit card, you’ll have your workloads running in no time at all; with containers a quick download of Docker or Podman and a command-line instruction or two and you’ve got running applications within minutes. I like to envision the journey to cloud as a staircase, super-easy to take the first few steps off the ground, however, as we climb higher the journey becomes more arduous and we’re inevitably left searching for that guard-rail to provide assistance and security. In cloud computing terms, that guard-rail can simply be thought of as architectural and cybersecurity best practices.
As an industry we’re seeing large-scale improvement of security across the cloud providers and within the cloud-native product space. However, many areas are still simply lacking standards based alignment and its often a case of one cloud provider implementing security that only works within their platform and on their own products; but organizations today are not restricting themselves to a single cloud provider, nor should they. 98% of organizations are in the process of adopting hybrid multi-cloud architectures (according to an IBM IBV study from 2020). They are instead adopting a best-fit or best-of-breed approach to product and platform selection, often running ahead are small feature-teams delivering rapid agility and extracting immediate business results. While these efforts are commendable its only in the more mature cases that security is taken into consideration.
If the goal of DevOps was to remove the bottlenecks in the software development process, which I believe has for the most part been achieved, then the goal of DevSecOps is to remove the bottlenecks in the cybersecurity process to ensure that business can still extract rapid results without compromising on security.
DevSecOps is often used to describe two distinct approaches to securing the software supply chain: Firstly, it’s the concept of applying security to every step in the supply chain so that rather than acting as a final gatekeeper to deployment, security assessments can be applied quickly, repetitively and early-on to ensure that the software artefacts are ready for deployment (from a security standpoint) by the time they reach business approval/signoff. This approach is seen as “applying security to DevOps”.
Secondly, it’s the concept of adopting a DevOps approach to security by embracing the DevOps principals e.g., using an Infrastructure as Code approach to deploy new network segments when an application is deployed to cloud, or simply adding/changing firewall rules when a new service or feature is enabled. This should, of-course, apply to all aspects of security from network, infrastructure, data etc. The emphasis here is around the speed at which security controls can be applied in order to enable business. This approach is seen as “applying DevOps to Security”.DevSecOps is an inclusive approach to security control with a primary focus on cloud and cloud-native and is being embraced by organizations large and small who build their own software or simply deploy and configure commercial or open-source products, it’s the future of security for Dev and Ops teams and an amazing empowerer to traditional Security and SecOps teams. When you’re ready to start your journey to Secure Cloud, we have a team of experts as well as the right solutions to empower you.
Securing the cloud construct whether it’s the hyper-scale public providers, community and commodity clouds, private cloud, or even cloud-native platforms on premise, all rely on the same principles:
- Protect the data
- Secure the workloads
- Restrict the networks
- Govern all identities
DevSecOps is an inclusive approach to security control with a primary focus on cloud and cloud-native and is being embraced by organizations large and small who build their own software or simply deploy and configure commercial or open-source products, it’s the future of security for Dev and Ops teams and an amazing empowerer to traditional Security and SecOps teams.
When you’re ready to start your journey to Secure Cloud, we have a team of experts as well as the right solutions to empower you.