Developing a new app, service or connected device can be daunting. The process can be painstakingly slow at the start – funding is not always immediately available, and IT departments can sometimes take months to set up systems and get them ready. In a constant race to launch new products and services to better serve customers, precious time-to-market is often lost.
To address these challenges, the use of public cloud clubbed with DevOps has fast become a key strategic option for many organisations. The advantages are two-fold: an external cloud service provider helps to cut down capital expenditure, and the infrastructure itself is more scalable – it shrinks and expands on demand instantly to adapt to changing needs. Businesses no longer have to pour in significant capital investment on new infrastructure and the cost needed to set up and maintain it is reduced, lowering the overall financial risks associated with launching new products. Developers can now move at speed and scale.
While this delivers unprecedented competitive advantage to organisations of all sizes across many industries, there are still risks to consider. C-level executives must be conscious of securing any public cloud deployments, especially those involving sensitive customer data or critical software applications. Ensuring that new products and services are secure by design from the earliest stages of development will deliver both consumer peace of mind and a valuable competitive advantage. To do this, security teams need to build stronger, closer relationships with product development and IT teams, and hire the right talent.
Before venturing into the public cloud however, organisations need to pay attention to six key considerations:
1. Safety first
Product teams are often reluctant to work closely with security teams due to a misconception that the security aspect will slow down development or stymie creativity. However, teams must also understand that prevention is far better than cure; having to release a series of security patches after a smart watch has hit the shelves due to customers’ security concerns will invariably add time and cost to the project, not to mention the damage to the company’s reputation.
Today, next-generation security solutions come equipped with automation capabilities that take care of the biggest concerns of DevOps teams, namely, slow implementation and the need for manual intervention of security updates. Employing such solutions can help to integrate the native cloud provider, third party tools and other applications.
It is therefore important for production and development teams to collaborate with security teams right from the beginning of a project. This collaboration should continue throughout the project and be considered business as usual when it comes to developing new products. Over time, this collaboration will become more efficient and the net results will be seen once the product is in use and has demonstrated its security capabilities.
2. Mutual understanding
Security teams need to understand how the product teams approach the development of an app or service, in the same way that product teams must know the security team’s point-of-view. Through a more collaborative approach, both security and product teams can deploy comprehensive security controls more effectively, before products reach the hands of the consumer.
This approach is not new to organisations who have embraced collaboration between traditionally separate practices; DevOps, for example, brings ideas to life faster, by ensuring both teams sing the same tune throughout the process.
Businesses are taking major steps toward a more effective and collaborative development process, implementing systems that connect product, developer and engineering teams with the rest of the business to ensure the continuous delivery of successful and secure products. By eliminating silos, DevOps can help speed up the development and deployment of new applications in the cloud, simplify security operations and continuously validate the compliance of their cloud infrastructure.
3. Do it right the first time and every time
Launching a product or service powered by the cloud can be tricky. Without the luxury of time to test multiple vendors and integrate them into the network, a single consistent security framework is needed to address all potential entry points, once an app or service goes live. This is where the importance of continuous testing comes in. Planning and designing are also important parameters to be considered when moving to the public cloud. In the event of application migration planning, enterprises need to consider if legacy apps need to be re-designed if they may need to communicate with other apps that sit on a different cloud platform. For capacity planning, enterprises need to consider factors such as the IP addressing scheme when undergoing infrastructure planning on the cloud.
Enterprises today can maintain a competitive edge by leveraging the agility of the cloud to transform their business. However, these same advantages also pose new challenges by reducing the time needed to properly test security requirements. To further complicate matters, most enterprises are moving toward a multi-cloud strategy, be it hybrid, on-prem, public cloud or the adoption of multiple public cloud providers. This, together with the increasing speed of product launches, and a lack of consistent oversight and control over these different platforms, will require enterprises to tread even more carefully.
Hence, when designing the cloud infrastructure, it is critical to do it right the first time. Cloud architecture needs to be designed with scalability in mind to meet future needs while catering to the diverse talent groups within DevOps teams. When combined with automation and aided by machine learning, management becomes more streamlined and human errors can be avoided.
4. Always have visibility
Visibility is the first step towards building the right security framework. Monitoring activity is critical to preventing attacks, but it’s also vital to ensuring the right security measures are in place for complete visibility of activities. Without it, a business has no insight on what is coming in or going out, how information is being accessed and by whom. As such, it’s extremely difficult to identify and prevent attacks – especially as they become more sophisticated.
Threat behaviour is often the same, whether a product or service is hosted in the cloud or not. But it’s not always possible to use the same preventative measures. Conventional methods such as antivirus software or firewalls may not necessarily be appropriate or sufficient, so it’s important for security teams to tailor measures specifically for the cloud.
5. In case of emergency…
Cloud security should no longer be an afterthought in any organisation. In fact, it should be a clear priority set at the board level because the ramifications of a successful cyberattack can be massive, both financially and reputationally. Security teams must have an open dialogue with C-level executives, including the board, so they can work together to identify and manage cyber risk.
Part of this process includes developing comprehensive playbooks and an incident response plan to address and manage the scenarios that could occur. CSOs need to identify key stakeholders and determine how to engage them if a cybersecurity incident happens. Implementing a cloud security framework with automated security processes will also help speed up this communication. Working with these stakeholders to keep the public cloud environment secure will help businesses operate without undue fear of cyberattacks.
6. Hire right
Having team members equipped with the right skills can also play a significant role. A cloud architect, for example, can work with external cloud providers to ensure that any security requirements specific to the business or product are met, while collaborating with internal stakeholders to define governance around the migration to the cloud. It is essential that teams work together to identify which assets could potentially be safer in the cloud than in existing systems. Cloud architects could ultimately serve as the bridge between product and security teams.
Adopting a cloud strategy is not simply a single move, but a series of transformations that can permanently affect the way a company operates. When done the right way, it can positively impact legal and compliance matters, SLAs, financial targets, and other business imperatives. Addressing these elements will let businesses leverage the agility and flexibility of the public cloud to bring new products to market faster and more securely, leading to an important competitive advantage.