Cloud DevOps: Ensuring Business, Tech and Security go hand in Hand

DevOps is a new area where both the Development and Operations are intertwined together as a single organization. Cloud DevOps is a newer development area, the need for which had arisen for agile development, automated deployment, as well as for faster time to scale. DevOps on premises is different from Cloud DevOps as Cloud DevOps require both cloud-expertise as well as DevOps knowledge to master the development of the same. DevOps Practices in different clouds are different and holds great promise if the awareness to handle the DevOps in the cloud is there.

Requirements of Cloud DevOps

Cloud Expertise: Cloud is still considered a new technology although the cloud concept has been there for more than a decade. The tools required for DevOps from Agile tracking of development, Continuous integration with new builds, Continuous delivery of code to production, and Site Reliability Engineering consisting of monitoring the availability, performance, and fault management of Infra and applications, are different for different cloud service providers. A cloud DevOps engineer has the knowledge of complete cloud DevOps Tools chain specifically optimized to the cloud service provider.

Cloud Costing Model: Awareness of the cloud costing model is a must. The number of products by a cloud services provider is daunting. As an example, AWS has 169 products whereas GCP has 90 products. Many costs are hidden in nature and many of them must be discovered on the way. Therefore, right experts are necessary to make sure the cloud costs are optimized to the best of the ability.

Scaling: One of the facets of DevOps is automation and requirement for automation is varies according to cloud service providers. As an example, with AWS lot of third-party service providers are available to automate the operations whereas in GCP many operations are automated by default. Standardization and automation are necessary to scale the operations. Cloud-native development has become the order of the day and many open-source tools are used to scale the deployment speed. DevOps as code should be used to scale the pipelines.

Security and Compliance: Code Security is still an important aspect of developing the code on the cloud. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are necessary in the cloud. Security and compliance scaling happens more with automation. SAST check should be automatically done with every code check-in and DAST check should automatically be done with every build. Security is a continuous service and public cloud service providers are enabling DevSecOps as a new practice. Application security level checks are now reaching new levels which many security professionals have been asking for as well. The goal of the DevSecOps Practice is to introduce security earlier in the SDLC lifecycle. The Objective of the DevSecOps is to make business, tech, and security work together.

AI in DevOps Chain: DevOps throws a lot of data and it is important to have complete visibility of the entire DevOps chain. One can use the Data with AIOPS and get important inferences for actionable intelligence. Data on DevOps is important to optimize the complete process. A new approach of combining DevOps with AIOPs is being done by public cloud service providers. Many of the AI applications require DevOps by default as well. AI is more iterative. While AI can help with DevOps data the DevOps practice in AI can help with more actionable intelligence in anomaly detection, prediction, and natural language processing. All AI applications will have DevOps approach. Cloud offers AI ML tools and can be used as part of the DevOps tools chain for optimization.

Conclusion

While DevOps practice itself has delivered faster productivity with enterprises setting up CI and CD chain it is important to understand the cloud DevOps chain and use it effectively for business purposes. The migration from On-prem DevOps to Cloud DevOps should be carefully calibrated for maximum benefits at minimal cost.

Data References:

https://www.reportsanddata.com/report-detail/devops-market
https://dzone.com/articles/devops-trends-to-watch-for-in-2020

An Ode to Defensibility

Defensible (de·​fen·​si·​ble\di-ˈfen(t)-sə-bəl) is described as “capable of being defended”. “Defensibility” thus alludes to the ability to remain protected from attack. Cybersecurity should have always been defensible… to be able to adapt to changes, especially continuously changing business intent and risks thereof….

The industry has felt this quite long ago. As early as 1970 a Report of the Defense Science Board Task Force about Security Controls for Computer Systems, noted that providing satisfactory security controls in a computer system is in itself a system design problem. This seems to be true today too. Despite spending billions on cybersecurity, cybersecurity teams are continuously fighting fires because protecting the organization is an asymmetric challenge.  Security Leaders need to protect an increasingly larger number of entry points while the bad guys just have to find just one-way in.

In the aftermath of COVID19, we are looking at a new way of doing business…. Now, there are more and more users outside of the enterprise accessing services than inside… more unmanaged devices connecting to services than managed devices and… more and more internal users are consuming applications delivered from outside of the enterprise network than the inside. Digital transformation is hinged on using the Internet more and more, but the Internet was designed to be flexible and open, not secure. Every mobile phone, cloud application, branch office, IoT and remote employee is an entry point.

It is time for defenders to change the approach.

On May 12, CMS IT Services launched a fresh new approach to cybersecurity – the Defensible Cybersecurity Model, in an industry where there are just too many cybersecurity technologies overlapping in intent and content at the enterprise.

The CMS IT Services Enterprise Cybersecurity Solutions are designed to help enterprises embrace the Defensible Cybersecurity way of ensuring that they can protect their crown jewels through optimized investments in cybersecurity technology and processes, detect deviations, events, incidents, and breaches in their computing infrastructure, and can respond effectively to ensure that the consequences are limited and contained to the extent the leadership desires to, within the boundaries of their risk appetite.

Intricacies of the Protect, Detect and Respond Portfolio

The genesis of the Defensible Cybersecurity model can be traced to2 key papers. The first is the report of the New York Cyber Task Force at Columbia University SIPA, titled “Building a Defensible Cyberspace”, And the second is a physical security concept that was designed to reduce crime by intelligently designing defensible spaces, through Natural Surveillance, Access Control, Territorial Reinforcement, and Maintenance, called as Crime Prevention through Environmental Design (CPTED).

Defensible Cybersecurity is a holistic approach to address cybersecurity challenges, aligned to the context of business, addressing systemic issues, challenges and stakeholder requirements, designed to handle constant change while Consistently improving operational controls, designed to address cybersecurity risks for both traditional & digital businesses and their supply chains.

To learn more about the Defensible Cybersecurity Framework

Director Cybersecurity

Information Security: How critical is it?

As per the current trends, the news of some or the other organization falling victim of foul cyberattack led breach, resulting in exposure of sensitive information and confidential data is no more a rare scenario.
When servers were securely encrypted and hidden away behind the corporate firewalls and perimeter-deployed intrusion prevention controls, enterprises took the security aspect complacently and completely relied on their host information security system. However, unforeseen events and actions have exposed the inadequately architected information security controls.
Network-based protection has made the businesses information quite vulnerable to attacks while the migration to hybrid cloud and private domains is imminently executed. The ever-changing cyber-threat landscape poses a critical challenge of keeping data secure whilst the evolving complexity of cyber threats whether a virus attack, cyber-fraud or espionage is getting intricate and daunting.
Regardless of the growing complexity of operations and magnanimity of enterprise networks, organizations still continue to jeopardize the security and as per 2018 State of Application Delivery (SOAD) report as many as 36% of businesses have only 25% of their applications secured. This needs to change – mainly the approach towards the alarming issue of IT information security (infosec) as we discuss.
Guiding Principles of Infosec: CIA
Information security is designed to protect the enterprise assets – digital and non-digital in every format from spiteful intentions. The core objectives ensure that confidential and sensitive information is made accessible to only authorized party (confidential), ward off unsanctioned data modification (Integrity) and ensure the data availability to all the authorized party as and when required (availability), commonly referred to as the CIA triad, the combined features of infosec program.  Infosec is a blanket term that encompasses compliance, risk and protection from unauthorized access, usage, expose, disruption, changes or ruining of the network and the data. CIA triad is the basis to a robust information security system.
The big question is which one of these CIA attributes is the most important. The answer and approach are completely based on businesses to evaluate and align their mission, goals, services, compliance perimeter and SLAs. In all likelihood all the components of CIA take the priority and organizations in that case should ensure equal allocation of resources for seamless implementation of CIA.
For confidentiality of information the critical aspect is encryption to ensure only authorized personnel can access and decode the information. As an alternative, information can be kept confidential through enforced permission and access control to sensitive information to restrict the accessibility.
Integrity entails protecting the information from unauthorized personnel since information holds value only if it is accurate. Cryptography is the key to keep the information integral through securely hashing the original message. Availability is conducive and valued when the information is made accessible to the right people at the time they need, and backup is the key to it to ward off disruption and destruction.
Security Imminent to be part of Organizational Culture
Information technology has become an integral part of every aspect of the enterprise world. Hence, fostering data security for business assurance is indispensable. Infosec cannot happen in silos, it is a shared endeavor to be incorporated into the organizational culture. Be it, employees, business partners or other stakeholders, personnel with access to sensitive data should not view security as an added cost burden; rather, awareness about cyber-attacks and threats should be the top priority even for casual technology users in an organization
A minor security lapse can result in serious security risks that have the capability to jeopardize business operations and result in serious loss. Business enterprises must accept and proactively initiate security implementations. Though laws remain static for some time, technology is a dynamic agent. It keeps changing evolving and changing technology undoubtedly brings new types of threats. So, while laws on information security might not get updated with technological changes, companies must look beyond their legal requirements and take a robust security stance.
CMS IT Proposition
Enterprises encounter serious security breaches despite investing heavily in Information security infrastructure. Hackers shrewdly devise new ways to breach the Information security of enterprise networks, either from within the company or from outside.
Research suggests that nearly 90% of enterprise breaches could be prevented through proper monitoring. Having said so, setting up a dedicated Security Operations Centre (SOC) to monitor the data and network is an enormous challenge because of high set-up costs, demands significant time and efforts, and increasing shortage of skilled in-house experts. Our SOCs at Bangalore and Mumbai offices are robust with in-house skilled expertise to take care of all types of business information security needs.
CMS IT’s Integrated Information Security framework security program revolves around process-driven human intelligence managing best-in-class technologies with better business service SLAs and security SLAs. We automate the processes through our end-to-end Artificial Intelligence as well. We offer solutions to complex business enterprise network securities through consistent and efficient tailored infosec services to cater to the organizational security goals and requirements.
As one of India’s top IT services firms, CMS IT provides complete solutions to large corporations across all sectors, including banking, insurance, retail, telecom and manufacturing. We provide new, cost effective and cutting-edge IT infrastructure solutions that are reliable, resilient and responsive. With decades of experience CMS IT’s security operations center (SOC) model is progressive and designed to meet all the advanced cyber security.
Conclusion
Excessive connectivity, governance pressure and sky-rocketing customer expectations are all together having a major impact on the modus operandi of companies to proactively address the alarming risks to their network security from all quarters. Whether financial services or retail sector, digital transformation landscape is the key driver to all the applications. Cloud adoption has undeniably heightened the need to step up from the conventional security measures, to stay abreast of the rapid rise in users, applications, data and infrastructure.
In today’s sprawling global networking and digital world, App security contributes a major share in the reputation management. Businesses need to deliver services with higher speed, adaptive functionality with utmost security.
Reference
Cobb, S. (2018). The 5 IT security actions to take now based on 2018 Trends. Retrieved from https://www.welivesecurity.com/2018/04/04/5-security-actions-cyber-risks-trends/
Cotextis. (2018). What’s a Security Operations Centre (SOC) and why should I care? Retrieved from  https://www.contextis.com/blog/whats-security-operations-centre-soc-and-why-should-i-care
Durbin, S. (2018). The Top Five Global Cyber Security Threats for 2018. Retrieved from https://www.cso.com.au/article/632468/top-five-global-cyber-security-threats-2018