Cloud First, Cloud Native, and Cloud with DevSecOps are Now Imperative

Most companies will face the moment where digital transformation will come to the top of the executive stack of priorities, and when it does, whether you're a large company or a small company, whether you have a legacy IT infrastructure or a green field brand new application, the strongest business case will be to migrate to the cloud. The cloud is now imperative to speed innovation, strengthen cyber defenses, and improve service delivery. The very first step on your cloud journey is to advocate for a cloud first strategy.  

Cloud First Strategy 

A cloud-first strategy is an organizational commitment to evaluate cloud-based solutions before considering other alternatives. You're going to go cloud first, because, at this point, procuring your own servers is as outdated as buying a tube TV. Traditional on-premises software is expensive to maintain, hard to keep updated, difficult to scale and does not easily integrate with many modern SaaS solutions. By contrast, cloud-based solutions reduce complexity and streamline operations, which will accelerate speed to market and gives your company a competitive advantage.  This means committing to phasing out your antiquated three tier architectures and creating an entirely new technology operating model and culture that enables the company to innovate more quickly. This must be understood, evangelized and embraced by the whole organization. 

Cloud Native 

The second step on your cloud journey is to go cloud native. Cloud native is an application architecture based on containerized microservices. Apps that are designed as cloud native are composed of small, loosely coupled services that can be run and managed in a consistent way within, and across, any cloud.  

What makes cloud native containerized microservices possible is primarily the multiplatform Docker Container Runtime Engine paired with the open-source Kubernetes container orchestration system. These two groundbreaking tools work hand in hand to create a near total automated platform for cloud application deployment, scaling, and management.    

You're going to go cloud native because an on premises three tier infrastructure and monolithic application architecture is ancient history. You can now create apps with a write once and run on any public, private, and hybrid cloud platform capability. This capability is commonly referred to as "Any App on Any Cloud on Any Device." Cloud native apps can be developed faster with modern tools and agile methods and allow for automated provisioning, integration, testing, deployment, load balancing, and monitoring.  

DevSecOps 

The third step on your cloud journey is to deploy a DevSecOps development pipeline for your in-house application development. With ever increasing compliance requirements coupled with ever increasing cyber-attacks, you're not just going to deploy a DevOps pipeline, but a full DevSecOps software development environment. DevOps without a full DevSecOps pipeline allows for far too much cyber-attack risk.   

A fully functioning DevSecOps pipeline rollout combines agile software development methods, Continuous Integration / Continuous Deployment CI / CD, containerization, cloud infrastructure, cybersecurity, and an IT organizational cultural change process.  

The IT organizational change process involves introducing security thinking very early in the development cycle and introduces security thinking as a core development responsibility across the whole IT team, not a separate team’s concern. The entire IT team will need to be cross trained on Dev, Sec, and Ops processes and tools. It involves adding bug bounty programs, regular pen testing into the development cycle, and culturally eliminating the blame game at all costs, it's never about who wrote bad code. You will need a leader to coordinate the DevSecOps implementation and roll it out, coordinate policy, instill and evangelize the culture of it, and manage the program.    

In parallel with the cultural changes, specialized security tools are introduced into the software development DevOps toolchain pipeline at key points to automate security checks and to maintain the efficient flow of the DevSecOps pipeline consistent with code updates made. Here below is a high-level summary example of ten steps of a DevSecOps pipeline with a few named highly utilized security tools inserted:  

0. Cloud provisioning with Infrastructure as Code (IaC) (Terraform, Ansible, Puppet, Chef, Saltstack) 

1. Initial Coding - Add pre code commit hooks (Talisman tool) and SCAN (prevents leaked credentials) 

2. Code Repository (GitHub, GitLab, Bitbucket) code commit / push (GitHound, GitGuardian) SCAN all code pulled and committed to make sure all code modules are current, scanned for malware, and are properly licensed 

3. Pre-Build - Static Application Security Testing (SAST tools) Software Composition Analysis (SCA tools) (AppScan, CodeScan, Checkmarx, Whitesource, Black Duck) 

4. Code Artifact Repository Integration and Build - Version management and build tools (Jenkins, Maven) 

5. QA, UAT, and Staging – Automated and Manual testing (Junit) 

6. Post-Build - Dynamic Application Security Testing (DAST tools) (Fortify, VeraCode, Fortify Webinspect) 

7. Production Set Up - Infrastructure SCAN of all IaC and all Docker Images (OpenVAS tool) and Compliance SCAN (OWASP ZAP) 

8. Production Deploy Approval by the DevSecOps Team

9. Production - Logging, Monitoring Tools and analysis (Sensu, Splunk) 

10. Alerting, Monitoring, and Feedback - Did a vulnerability get through, how was it fixed, and corrective actions taken 

There are over 150 DevSecOps tools to choose from. Tool selections for the pipeline are based on the development language stack(s), what step in the pipeline it's for, and the Public / Private Cloud platforms the apps are deployed to. In addition, while many of the tools automate steps in the dev/sec/ops pipeline, some of the newer tools (GitLab, JFrog) are facilitating the automation of the whole pipeline. These tools add development team collaboration, process integration, and tracking of all containers flowing in the pipeline. 

DevSecOps is fully compatible with an Agile and Scrum development methodology but not tied to it. Code with new features and functions can be collectively released to production at the conclusion of a sprint, or released to production even faster as soon as a new code module flows through the pipeline as a Continuous Integration / Continuous Deployment (CI / CD) approach. 

Some additional Considerations for a Cloud Native Transformation 

Until the last workload leaves the on-premises datacenter, you're going to be paying for both the datacenter and the public cloud cost. As you migrate to the cloud, you need to keep your existing IT staff focused on administering the continuing on-premises datacenter while simultaneously hiring or contracting with public cloud specialists to ensure acceptable cloud security, data protection, and performance.  

Public Cloud Cost Management  

The IDG State of IT Modernization 2020 survey found that “nearly seven in ten organizations have experienced higher-than-expected public cloud costs.” A 451 Research report found that 20% of companies surveyed said that cost drove them to move one or more of their workloads from public clouds to private clouds. If you're running predictable workloads, public cloud services tend to be more expensive than when running predictable workloads on-premises, which is why a private / public hybrid cloud strategy still optimum. You can run most of your predictable workloads on premise utilizing a Hyper Converged Infrastructure (HCI) cloud architecture on premises, and variable workloads on the public cloud. Keep in mind that with a cloud native architecture, you can reallocate workloads between clouds very easily.   

"A June 2018 AWS blog states that modest refactoring can require two weeks per application, while the industry average time to refactor an application for a cloud-native offering is 14 months. Even modest refactoring isn’t cheap. An April 2019 Taneja Group report estimates an average refactoring cost of $989 / Virtual Machine."    

Be careful with public cloud-based IT processes started by dev teams, shadow IT, and even short run production workloads, they may not be shutting down instances after completion or the application teams may fail to notify the infrastructure team that the application has been decommissioned. These abandoned instances continue to meter costs within the public cloud and are often indistinguishable between active value instances and inactive non-value instances and can get out of had very quickly. For larger organizations with large and multi-cloud deployments, these types of issues can be managed by public cloud cost management tools such as Cloud Health, Cloud Checkr, Turbot, Control Tower, Cloud Watch, and Beam. 

Nano segmentation and service mesh 

In addition to establishing a DevSecOps pipeline, it is vital to integrate security checks into inter-container communication and secure container based microservices with a zero trust-based nano segmentation. This is now possible with the Kubernetes sidecar container pattern in combination with the open source Istio service mesh tool. Istio facilitates the deployment of sidecar proxy containers that run in parallel with the main containers in a Kubernetes pod. The sidecars intercept and monitor all network communications between all the microservices of the application allowing for secure service to service communication with identity-based authentication, further hardening the attack surface of your applications and preventing lateral movement should any breech within the architecture of the application occur. 

Conclusion 

“If you have not developed a cloud-first strategy yet, you are likely falling behind your competitors” - Gartner 

After your careful analysis is completed, it will be clear the reduction in the total cost of ownership (TCO), faster time to delivery, and enhanced cybersecurity can be had by commencing a cloud migration in your organization. You will begin by doing a full IT architectural review, determining your cloud deployment model: public cloud, private cloud, or hybrid cloud, and then begin modernizing existing applications for the cloud, transforming the architecture and infrastructure. It won’t be long before you realize that to get the most out of your cloud journey you will want to go Cloud First, Cloud Native, and implementing DevSecOps. Including these three critical objectives in your enterprise cloud migration journey are imperative to meeting changing consumer and market demands, cybersecurity and compliance requirements, and achieving your desired business outcomes.