Has the Cloud changed Software Development for Good?
One of two concepts might have popped into your head when reading the title of this blog. Has software development improved? – OR – Has software development changed permanently? If you’re anything like me (or live in the DevOps or cloud security world), both questions pique your interest and are worth discussing.
So let’s break them down.
Has software development improved?
There are two pieces to answering this question, and it often depends on what side of the organization you work: DevOps or InfoSec.
The answer isn’t as obvious. Sure, when an organization decides to adopt and leverage the cloud, the DevOps teams inherit many of the advantages from the transformation including:
- Faster deployments
- Fewer restrictions on set-up and access
- Easier access
- More speed and agility
For a software or DevOps engineer, I’d wager most would agree that yes, software development has improved.
But has software development improved for security teams? Have responsibilities shifted? In a more cloud-mature organization, security is integrated into the DevOps teams that are responsible for their own cloud infrastructure. If you are on the DevOps side, you now not only have to make sure your code passes your functionality inspection but also security inspection as well.
Before introduction of the cloud, the security of the infrastructure that DevOps built depended on the full-time focus of an entirely different team – the security team. Now, DevOps creates their own environments in the cloud, and they must take on the security responsibilities of those environments as well.
Here’s the problem. DevOps pros don’t live and breathe security. They are creators – securing the cloud isn’t as much fun as building and deploying code. This becomes exponentially more frustrating for DevOps people that have less experience and knowledge around securing cloud infrastructures. And that turns out to be pretty common since infrastructure security had historically been handled by a dedicated and separate team. There’s no denying that security is critically important, but it isn’t easy to add that responsibility to a team that doesn’t have a security background and isn’t particularly interested in the work.
I think you already know the answer. The cloud has brought many challenges along with it for these teams, and is the primary reason why cloud adoption rates have not been accelerated. There are more challenges than I can cover in a single post, but let’s just paint a broad picture so you can understand the impact it has.
Let’s say you work in security at your company which has been around for 20+ years. The decision has been made that it’s time to start migrating some of their legacy, on-prem environments to the cloud and begin their digital transformation. The organization naturally wants to take advantage of the cost reduction, flexibility, on-demand availability, accessibility, and rapid scalability the cloud delivers. This is not unusual.
(P.S. And if your company wasn’t already leveraging the cloud prior to COVID, you wanted to change that – and fast – for these very reasons.)
Now security pros must not only maintain the security integrity of their legacy environments but must also learn and secure the new cloud environments. We call this maintaining a hybrid cloud, and it is not easy. Any security expert will attest that it’s extremely complex and difficult due to the vast array of experience, skills, knowledge, and manpower required.
Let’s throw another curveball at the batter (let’s face it, we know they’re coming). Say your company was not on the same page during this digital transformation – maybe perhaps due to any mergers or acquisitions. Say different departments choose to work with different cloud providers. Now security has to learn how to maintain the cloud infrastructure of multiple cloud providers – each of which operates in its own unique way and requires different approaches to being secured.
Now, let’s have some fun and add one more complication for security teams. Many organizations are attracted to the cloud’s on-demand availability and accessibility. This gives anyone within the organization (*cough* DevOps Teams) the autonomy to purchase and stand up a new cloud environment to work from without having to pass through security for approval or authority.
This means (*cough* Security Teams) will be responsible for knowing when a new cloud environment is deployed, which provider it was, what best practices are required to secure that type of environment, all while lacking access to that environment because it was set up by someone in another team.
That’s a tough task. If only there was a solution that…
- Helps provide security teams access to cloud accounts
- Alert them of security misconfigurations of those accounts via Slack, Jira, or SNS (email)
- Help educate them on the best recommended remediation actions to take for every alert, and provide them the ability to fully automate or deploy the recommended remediation of choice with a single-click.
[Inset shameless plug] GOOD NEWS! There is… click here.
Has software development changed permanently?
Yep. Absolutely. We, as an industry, decided several years ago that we’d go down this path, acknowledging that the cloud-based opportunities and advantages outweigh the challenges to get there.
Digital transformation and cloud adoption may not seem like glitter and rainbows today, and that’s because it’s not. The reality is even though cloud migration includes significant security challenges, it doesn’t mean we can’t adapt and evolve our methods and procedures to make it work better for everyone in the organization. This means integrating security into DevOps (DevSecOps) and providing security teams with the same power that the cloud brings to the DevOps teams. The only way for security to be able to keep up with the speed of the DevOps teams and cloud is to leverage the correct use of automation.
Although the cloud has been around for more than a decade, it is still comparatively young when it comes to adoption. And no wonder, right? New, born-in-the-cloud companies immediately see the impact cloud has for their organization and can accelerate their cloud maturity faster. While on the other hand, larger companies with more legacy technologies have a steeper hill to climb that begins with their talent and internal IT/security processes.
As it has been said, “Old habits are harder to break than newer ones” – and for some larger, more established organizations, this old way of managing IT infrastructure has been the way for decades. Now with the growth of cloud adoption, and the speed and agility of newer born-in-the-cloud companies, adapting and replacing legacy on-prem computing practices seems worth the value gained in return. Even if it is a longer transformation journey, it seems like it is one that is here to stay.