Cloud Native / DevOps

How DevSecOps Will Make Your Organization Future-Ready

13 Mar 2019 3:00am, by

As the digital world quickly advances, IT teams and application developers are expected to make the development lifecycle of systems and applications shorter and shorter. They are also expected to align with the business’ objectives by delivering the appropriate features, fixes and updates. These circumstances make the cloud the most effective environment for much of the development that goes on today.

How the Cloud Changes Application Development

Lior Cohen
Lior Cohen is Senior Director of Products and Solutions for Cloud Security at Fortinet. He has over 20 years of experience working in the information security, data center network and cloud computing spaces. Lior serves as Fortinet’s lead for cloud security solutions with a focus on securing enterprise public cloud-based deployments and private cloud build-outs. Lior previously held a variety of vendor and customer side positions in the cloud security space, including cloud solutions architect, information security consultant and subject matter expert for SDN, virtualization and cloud networking for leading industry vendors.

Cloud migration is driven primarily by the performance, scalability, lowered costs and flexibility it offers. However, one of the first mistakes many organizations make is to try to apply their on-premises applications and application development strategies there, too. This approach doesn’t allow them to take advantage of fundamental cloud native capabilities.

Rather, organizations can get ahead of digital business model demands with the new development capabilities that the cloud offers, including:

  • Agile development: Faster, autonomous creation and updating of features is made possible by separating application functionality into microservices using different technologies (VMs, PaaS, containers, FaaS) which allows for rapid iterations across a foundational infrastructure that adapts quickly as development requirements shift. Developing cloud-based applications leveraging this methodology requires application developers and IT operations to work closely together which emerged as a DevOps team to ensure that development parameters and infrastructure resources are tightly and continuously integrated.
  • Rapid iteration: This means applying changes to an application as soon as a problem is identified, and frequently rolling out updates to the production application rather than waiting for sufficient issues to be collected to warrant a general update.
  • A CI/CD Pipeline: For rapid development and updating.
  • Development of minimum viable product: With just enough features to satisfy early customers and provide feedback for future development, the product is ideally supported by a flexible set of cloud tools and the ability to rapidly iterate changes.
  • Multivariate testing: Since applications are composed of combinations of changeable elements, this testing process — easily enabled in the cloud — helps determine which combination of variations performs the best.

How the Cloud Changes Security

Everything is software-defined in the DevOps “infrastructure as code” world. The difficulty, however, is that open models like these are also vulnerable to new types of attacks and represent a new set of risks. There have been several recent incidents, for example, where unprotected cloud storage buckets were left exposed, leaving confidential business and customer data publicly available on the internet.

Just as with legacy applications, merely shifting traditional, on-premises security to the cloud is not any easier and does not yield better results. Security must adopt the same development strategy, which means that DevOps needs to expand to become DevSecOps so that organizations can integrate security throughout the software development and delivery pipeline.

This development is intended to help build and deploy software with security woven into every step of the app development lifecycle. If development teams build applications with built-in security controls, operations teams can deploy them faster.

Shifting to Cloud Native Security

Assigning security resources to inspect traffic or respond to a threat needs to be instantaneous. Unfortunately, many of the security tools available in cloud environments have not been fully optimized for cloud functionality, which can cause threat detection and response to be delayed or incomplete.

However, a major change to this process is cloud-native security. “Cloud native” refers to applications that are designed to run in the same elastic and distributed way that cloud applications run and that modern cloud computing platforms require — very different from traditional security tools.

The full integration of metadata-based security policy across the infrastructure, thanks to cloud native security. This way, development and operations teams can operate as autonomously and securely as possible — unlike traditional infrastructures. Further tools are Cloud Security Posture management tools that inspect and evaluate security at the cloud API level and identify security gaps that can later be presented to the DevOps teams to rapidly resolve in their CI/CD Pipeline.

There are at least three benefits to having a cloud native strategy:

  • Greater efficiency:The ability of a cloud native security application to access cloud native features and APIs also provides more efficient use of the cloud’s underlying resources. This translates to performance aligned with costs — no need to overprovision security.
  • Higher performance: It is possible for cloud-native applications to deliver performance that is superior to non-native solutions.
  • Broader scalability: The security infrastructure can be applied at scale without the need to also re-architect for scale because a cloud native security application uses cloud services for delivery and cloud APIs for control.

Cloud Native Functionality in the Multicloud

When applications are migrated to the cloud, the cloud environment becomes an extension of the traditional on-premises network, with highly sensitive corporate data flowing across both. This requires you to visualize and manage policies across both environments consistently and cohesively, through a single pane of glass, to continually meet security and compliance requirements. This is regardless of where data exists or transactions occur.

As organizations adopt a multicloud strategy, the challenge becomes even more complicated. Cloud infrastructures by different vendors are fundamentally different from each other, so cloud native solutions may not always function the same. This requires processes and tools that are not only effective but that have identical functionality and controls in every context.

One possible fix is to steer clear of security architectures that rely on narrow cloud native options, silos of controls or point solutions. Instead, security teams should consider flexible and extensible security solutions designed to interoperate seamlessly across physical, private cloud and multicloud environments. Cross-platform connectors are one way to tie every security iteration to a centralized management console. This enables unified policy creation, distribution, orchestration, enforcement and management across the entire distributed environment, without losing any of the advantages of cloud native applications.

Go Forth and Cloud

IT teams must choose and design network solutions in light of today’s rapidly changing environment. DevSecOps teams need to consider how they can take advantage of the cloud environment they have in place and how to build solutions with enough flexibility to take advantage of potential platform functionalities. They must also consider a strategy that can seamlessly span across any number of platforms.

The changes discussed above are only the beginning. The networks of the near future will encompass entities and capabilities such as complex physical-cyber environments, autonomous decision-making at the expanding edge and temporary micro clouds. Instead of re-inventing the wheel each time, put thought now into ways to fold them into your existing security architecture. When it comes to adopting emerging possibilities, the early bird will get the worm of greater differentiation and tactical advantage.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.