Changing your hearts and minds of your people is where the difficulty lies .
In the new model , infrastructure is code and architectures are built to scale horizontally . Hardware is treated as a commodity and it is expected to fail . Architecting in the cloud means building software that is agnostic of any hardware , and can automatically recover as compute nodes go offline and new nodes come online . This is often called immutable infrastructure .
Not only is this a drastic change to how architects and developers must approach software development , it is even more drastic a change to how applications are monitored , managed , secured and audited . Focusing on the technology alone and ignoring the political and social aspects of this change is a recipe for disaster . The shift to immutable infrastructure and distributed architectures disrupts traditional organizational structures and responsibilities .
Control vs . Agility
Highly regulated enterprises frequently deploy very rigid controls to protect the company from the risk of security threats and vulnerabilities . Many of these controls are implemented with a series of processes , often manual , that drastically slow down the SDLC . In a world where we deliver once every three to six months , developers can work within these constraints . In the new world where we want frequent releases , the implementation of these controls must be reevaluated .
I can hear the security and compliance people screaming at that last statement . To be clear , I am not challenging why an enterprise requires the controls and policies they have in place . What I do challenge is how they have implemented those controls . Very often , the implementation of the controls and policies only takes into account the security and compliance stakeholders . In the new world of frequent releases , developers must be considered a key stakeholder as well .
There should be a balance between control and agility . An enterprise can be both secure and agile if they allow themselves to be . For example , many enterprises deploy a manual security review gate for all their applications . When deploying only a few times a year , this methodology can work . When you have multiple application teams deploying many times a Month , not only does this not work , but it does not scale . You could not hire enough people to manually review the number of deployments that happen in a mature cloud environment .
The solution relies on automation and trust . Many security controls can be baked into the underlying infrastructure blueprints . As developers consume the approved hardened images , much of the security controls that formerly required a manual review are already in place . The build process should run a security code scan that allows the security experts to enforce policies and find potential security holes . The build can then be configured to fail if the scan score is not high enough to meet the established security standard . This is yet another opportunity to eliminate a manual review gate .
From a technology standpoint , this is very easy to implement . The challenge is getting the security and compliance stakeholders to buy into the approach .
Data Center Tools vs Cloud Tools
A fool with a tool is still a fool . Too often I see people who are married to a tool or a vendor demand that their tool of choice on-prem be used in the cloud . Many of these tools were never built to run outside the firewall or on immutable infrastructure . These tools not only provide low value in the cloud , but often delay delivery by creating a huge amount of unnecessary work required to integrate the tool with the cloud .
Enterprises must reevaluate their tool choices as they move to the cloud . Pick the best tool for the job , not the tool that everyone is comfortable with . Another challenge in this area is that developers require more visibility into monitoring and logging data than ever before . Too often developers are forced to use tools that operators are comfortable with instead of tools that make developers more efficient in their job .
Once again , the technology here is easy . Changing the hearts and minds of people is where the difficulty lies .
72 | THE DOPPLER | SUMMER 2016