No compromises

How DevOps can migrate to the cloud without sacrificing security

Ivan Novikov
© Shutterstock / Askobol

DevOps means development is moving faster than ever. How is it possible to ensure everything is secure, especially when migrating to the cloud? Ivan Novikov takes a close look at how to keep everything moving at pace without leaving gaping security gaps behind.

For businesses to thrive in the coming years, their future will likely be cloud-based. Growing adoption has made cloud computing the number one growth area across organizations since the launch of Amazon Web Services (AWS), in 2002.

“Through 2022, Gartner projects the market size and growth of the cloud services industry at nearly three times the growth of overall IT services…Cloud services are definitely shaking up the industry. At Gartner, we know of no vendor or service provider today whose business model offerings and revenue growth are not influenced by the increasing adoption of cloud-first strategies in organizations.”

It makes complete and easy sense. Digital transformation leads business growth. The cloud accelerates this transformation, streamlining processes and facilitating collaboration among global teams. The cloud also:

  • Replaces expensive hardware and associated management and operational costs with the on-demand computing power needed to develop and run applications;
  • Enables applications and underlying microservices to scale quickly without locking in any specific configuration of hardware.
  • Simplifies IT management options while increasing reliability over in-house IT infrastructures.

All the same, cloud migration—like any revolutionizing shift—comes with changes that impact how we should safely move business forward.

Understanding the impact of cloud native architectures and new security challenges

The first step is to understand how the cloud will impact your DevOps and security landscapes. There are two massively-influential, interdependent trends in how cloud architecture can transform your business: technological catalysts based on new architecture; and how business process challenges will reverberate in the infrastructure.

Technological challenges in the cloud

The cloud is something of a technological game-changer.

There are trade-offs as traditional security concerns give way to new security concepts born in the cloud. On the good side, the scale of the cloud and the expertise of their operations teams
address many of the issues that would have previously had to be shouldered by the CTO/CSO and their internal team. The physical parts of building out, upkeeping, and securing computing resources is no longer the touchstone of development success. For example, once you migrate to the cloud, you don’t have to worry about whether the backup is on-premises or off-premises. However, there are a few notable security challenges brought about by the cloud: container security, and changing IT expertise for admin.

The new environment demands more reliance on APIs. But, traditional solutions aren’t designed to handle API level vulnerabilities and attack APIs are becoming increasingly complex as they evolve to manage and pass around complicated data structures, execute application logic, and provide the blood flow between individual containers that coordinate to operate a web application. Furthermore, there are many types of APIs: user-facing APIs provide information to be displayed in a browser; East-West APIs connect applications and microservices together; service APIs allow for monitoring, alerting, and application management; and mobile back-end APIs make devices, like iPhones, truly intelligent. There is also a whole ecosystem of third-parties providing their data services entirely over APIs. For example, for a modest fee, any mobile app or website can now subscribe to an API to provide weather or traffic information into the application.

APIs are essential to modern architecture and permeate the applications that handle the most sensitive data. But, APIs speak different “languages” or protocols, which makes them notoriously difficult to monitor. That’s why it’s critical to have API-optimized security in place to ensure that internal APIs and any incoming data are carefully monitored and flagged and that issues are appropriately prioritized and resolved.

Another major challenge facing the new architecture is the reliance on containers and microservices. Microservices management systems, like Kubernetes, simplify migration. They can be used in private and public clouds, such as Google, Azure, or Amazon. Nonetheless, these systems have their own set of security concepts. For example, even if you have a solution installed on your ingress controller, you need to be sure it can keep up with high-volume traffic and cloud autoscaling. No one wants to sacrifice security for speed.

Additionally, the flexibility of the cloud means that it can be a challenge to manage access to infrastructures on the one hand, while access to the cloud management plane is like getting a key to the kingdom. It’s important to secure access points and limit sharing credentials to avoid having them compromised. Rather than creating an access key for your root account, implement robust role-based access controls (RBAC).

Finally, there are fewer experts than adopters and not enough attention on security tools and best practices. There are too many new technologies popping up that make defending this new computing frontier complicated. The problem with quick adoption is, in part, that these new technologies, infrastructures, and higher volume of tools and third parties aren’t part of the established curriculum. There are not enough people trained in understanding the big picture or the little details.

(We’ll talk more later about who is responsible for security in the new cloud landscape.)

The new DevOps for cloud

In addition to technological overhauls, the cloud comes lockstep with major changes and challenges for business processes.

The evolution of the cloud and specific DevOps processes and acceleration are related. To really address security in the cloud, we will have to address how security integrates with existing DevOps workflows.

Rapid development cycles (some as short as minutes) mean that predicting and introducing production requirements and testing ahead of time is no longer possible. Everything in operations—procurement processes to the deployment of physical servers to basic ordering—has had to keep up. Thus, DevOps is a natural merger.

The cloud’s flexibility is a logical enabler for handling unpredictable server loads and architectures, end users, and countless variables issuing from continuous integration and deployment (CI/CD). It would be hard to imagine the pace of CI/CD’s evolution without a corollary rise in on-prem and public cloud architectures and services. But these quick CI/CD flows are transforming business expectations and increasing competition on delivering to market.

The technological impact of quicker dev cycles on business cannot be overlooked. Already, we see insurance companies offering data protection cyber-insurance and lurching for answers that could help quantify the risk of breaches and the quality of protection. We see regulation discussions arising that impact technology sourcing and location. Even as enterprises surrender billions of dollars of R&D to open source communities, the question on responsibility and impact of security is kicked down the road.

For their part, internal teams are going to have to prioritize security hygiene and company-wide best practices. DevOps teams may resist the changes due to the fact that they’ll have to acquire new skill sets to securely and effectively manage DevOps and CI/CD processes. But, your overall security health depends on everyone understanding their part in security awareness, maintenance, etc.

In order to keep up with the alignment of business and technological transformation in quick CI/CD workflows, security must adapt to the cloud. Not only does it have to deploy in the critical areas of the new technological architecture, it also has to integrate with new business practices. Security will have to be as flexible, responsive, powerful, and integrated as the cloud itself.

Who’s in charge of cloud security?

The clearest transformation in moving to cloud is outsourcing. Your physical hardware and data infrastructure is no longer entirely under your purview. Who’s in charge of security as data moves through infrastructure as a service (IaaS) or platform as a service (PaaS)?

Working with a cloud provider divides security responsibility between cloud providers and in-house teams. Internal teams need to understand which parts of the overall solution they are responsible for protecting and the best practices for securing those solutions.

Overall, the power and agility provided by the cloud is speeding up development cycles to a point where security cannot exist separate from the new changes. That’s why it’s important for development cycles to include security infrastructure and best practices.

Something as simple as not knowing which infrastructure layers to focus on securing could result in a data breach. Mistakes made by inside employees accounted for 34% of all data breaches, according to Verizon’s 2019 Data Breach Investigations Report. These breaches cost organizations financial and reputational harm that often cannot be recovered from, particularly for small to mid-sized organizations.

Technology solutions can also help understand the pressing quickness of DevOps workflows and help integrate security testing and solutions into toolchains, workflows, and processes. However, these tools and solutions will ultimately rely on security appointees inside DevOps, rather than separate security teams.

SEE ALSO: DevOps study: Report claims increasing developer role in AppSec

The cloud provider’s share of security responsibility vs. client side responsibility

One of the major benefits of working with public cloud providers is that they take security and compliance very seriously. Cloud providers have invested heavily in securing cloud environments to ensure that they are as safe or safer than on-premise environments. Public cloud providers operate and manage the physical access security to the server locations, hardware itself, the host operating system, and virtualization layer. Or, in short, the infrastructure that it offers its service on.

DevOps teams are responsible for securing company data, operating systems, application logic, and endpoints. While sharing security responsibilities with a cloud provider reduces the management burden, it’s important to make the ongoing maintenance a part of the ongoing CI/CD process, rather than relying solely on the cloud provider to handle it. It’s also worth mentioning that developers using open source components must maintain those resources to ensure vulnerabilities aren’t introduced. This can be done by running a discovery to identify and track all open source components.

In order to deliver services tailored to the specific needs of various organizations, cloud providers offer several cloud computing models, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) – each covering varying levels of the digital solution and corresponding security.

According to the Cloud Standards Customer Council (CSCC), users’ responsibilities tend to increase as they move from SaaS to PaaS to IaaS.

Teams using the SaaS model are least involved in security given they’re using a pre-engineered service while the cloud provider handles all of the technological aspects. This means they can rely on providers to manage the infrastructure, software stack, and most of the associated application logic.

For a comprehensive list of security ownership and responsibilities, teams should examine their preferred cloud service provider’s service level agreements. Once teams have a clear understanding of their security responsibilities, they can focus their time on securing the components they own and rest assured that their cloud provider will handle the remaining components. A good example of this sort of policy is AWS’s shared responsibility model. It clearly documents client responsibility for the data, APIs, and software stack in their AWS infrastructure.

What to look for in security solutions for cloud migration?

Relying on cloud providers to monitor and protect in ways they never signed up for is a huge challenge for organization security. Let’s take the example of AWS. As the oldest IaaS provider, AWS lays the groundwork and spends tremendous resources educating customers. Amazon enforces strong compliance for services. They take incredible measures to secure the physical facilities and technologies they offer. So, companies generally have less to worry about regarding network security, servers, or things like routers. But, Amazon has also been very clear that the application owner is responsible for the other components.

As Amazon’s position on shared responsibility for cloud security explains, they look after the system. However, the data within applications, security as it relates to the users, and how people connect to applications is outside their province. There’s even an argument to be made that trying to secure that would amount to corporate overreach or inhibit progress.

It’s not enough to trust that applications and microservices will be secured by developers and providers. You have to be certain that your own software solution is safe at the logic level—the API level (Layer 7)—where the most change and data is occurring. Look for:

  • Tools that deploy at the application level
  • Solutions that work inside your CI/CD
  • Integrated toolsets and processes that don’t add resource demands
  • Automation that allows for flexible responses

This is part of safely managing a cloud and moving your business into a powerful, dexterous solution.

Security-enabled APIs and microservices allow companies the necessary flexibility to scale and grow with the cloud. Whether you decide to supplement your existing technology stack or entirely move to a new generation of containers and microservices, there is a lot of focus on how, where, and by-whom this new, dynamic infrastructure is managed. This is where new governance processes and automated policies are required. The cloud is the single most powerful and growing transformer of business looking forward.

Security has to be fit to the specifics of a business functioning and particular environment to be effective. That doesn’t always mean tedious customizations, but it means that you need solutions that can adapt to, and ideally learn from, your own infrastructure, business logic, and traffic. Machine learning installed at the deeper levels that make your business unique can be a way of ensuring that.

SEE ALSO: Effective leadership in Agile/DevOps environments

Encourage collaboration between DevOps and security teams

Outside the technological impact, the cloud will require new restructuring, organizationally. For example, if your responsibility is managing the cloud, what does the org chart look like? Who bears responsibility for the risk landscape? How have the roles of CISO and CTO changed? It’s also going to transform how security experts fit into your organizational structure.

Traditionally, development, operations, and security teams worked in silos. With development and operations merging into a unified DevOps practice, the question is whether DevOps fundamentally weakens security. In DevOps, pace of development is top-of-mind in decision making, particularly when utilizing external software and platforms, while security is often an afterthought. This challenge is further magnified as the threat landscape is rapidly changing with the introduction of new threats and vulnerabilities.

It’s unrealistic to expect developers to become overnight security experts. Yet, as the rate of application development increases to accommodate the speed and agility required of today’s businesses, many organizations aren’t building security into their products.

To address this issue, DevOps and security teams will need to collaborate so that security is incorporated from the beginning stages of the development life cycle.

In order to best integrate the roles, a few key best practices should be considered:

  • Consider QA. The most important thing is to establish a culture that views security as an enabler of a quality product, a shared responsibility, and a top priority. It should be considered one of the key application metrics along with application performance and user experience.
  • Integrate security into DevOps. Involve security teams or designate security roles in all parts of the DevOps process to ensure transparency and collaboration from the start; security teams can detect app-specific vulnerabilities and provide actionable DevOps recommendations, which will inform secure coding practices.
  • Enable developers. Since most developers have a limited understanding of what to look out for, it’s great to appoint security champions within teams. They may not have the same in-depth knowledge as white-hat hackers, but they would have enough involvement and exposure on the security side to understand the concepts and know where to look for the right tools and resources.
  • Get the right tools and tool chain. Deploy automation tools that can manage security tasks to enable small security teams to focus more on key priorities such as defining frameworks and focusing more on the development process; tools that automatically generate and run security tests in the cloud and within the CI/CD process will help facilitate this.
  • Strengthen coding. Finally, many security problems come from the most obvious mistakes. Organizations need to invest in training developers to code securely in the cloud, and include security testing as part of the process. Advanced security solutions that monitor code with machine learning can find patterns of vulnerabilities in code that help developers strengthen their code health.
Ivan Novikov
Ivan Novikov is CEO of AI-powered application security company Wallarm. He is a white hat security professional with over 12 years of experience in security services and products, as well as an inventor of memcached injection and SSRF exploit class. Ivan is also the recipient of bounty awards from Google, Facebook, and others.

Inline Feedbacks
View all comments