A secure agile cloud development procedure to produce cloud-native and other applications starts first with a process. (See video at end of this article for a secure process.) This process defines how code created by a developer eventually makes it through to production and customer use. I have found that many companies do not even have such a process, or they have a very short process that primarily comprises the developers doing everything, including testing and security bits within their own little worlds. Since the same developer who wrote the code is testing and performing security, there are not enough eyes on the code to see all potential attacks. Continue reading Secure Agile Cloud Development→
Everyone wants visibility into their hybrid cloud of all resources and subsystems. We have expounded upon this need over the years as well as on how to gain some level of visibility. The tools exist, as do the methodologies. What we need now is better observability. Visibility is inherent in many tools today, but observability is not. There is one observed basis in every tool to the visible data; we need to go past that to gain better insights.
After the Apollo 1 disaster, astronaut Frank Borman told Congress that the tragedy had not been caused by any one company or organization, but by the entirety of all those involved with the Mercury, Gemini, and Apollo missions. The problem had been a failure of imagination. They knew that at some point there would be a fire in a space capsule. However, they assumed it would take place in space somewhere. They just did not think about the possibility of fire while the capsule was still on earth. We call this failure of imagination “unknown unknowns” within the security world, but it boils down to the same thing. We just do not think about some things. Even with all the tools out there to help us, we have failures of imagination. Continue reading Failure of Imagination→
In the new year, security is going to move from the organization itself to protecting the individuals who make up the organization. Or more to the point, educating the individual as consumers about operational security with an eye toward family, finances, and self. Without this focus, breaches will continue and become worse before they become better. While governments try to ensure privacy while protecting the country from outside attack, it behooves the individual to protect their family, finances, and self. Without this security, privacy does not truly exist. In World War II, one catchphrase was “loose lips sink ships.” It is as apropos today as it was back then.
A new generation of private cloud environments is being created now, ones where all the management is done via SaaS. This way, the heavy lifting is done by others, and you inherit an IT as a Service environment ready for you to add new workloads without worrying too much about upgrades, management constructs, or even, in some cases, security controls. It is all done for you. For many companies, this is one way to transform to an on-premises cloud and then to a hybrid cloud. There is a growing list of players; however, the first out the door are ZeroStack, Platform9, and SkySecure from Skyport Systems.
When we talk about transforming to the cloud, we often talk about hybrid cloud and what it will take to transition to it, leaving discussions about 100% cloud usage purely to the new startup (greenfield) organizations. What is needed to move 100% off-premises to a public cloud? What is sufficient, what is necessary, and what is the required last mile of this effort? I recently spoke to @AndiMann about concepts of what is necessary and sufficient. Andi brought up some great points I would like to share over a series of articles.