Baking Security into the Cloud: DevSecOps and Cloud Native

GitLab is convinced: In 2021, DevSecOps will arrive in the mainstream. As more and more companies move and develop their applications in the public cloud, developers are increasingly becoming responsible for IT security. Regardless of whether it’s a corporate group or a small or medium-sized enterprise, if, as a current survey by Crisp Research and Cloudflight shows, every fourth DACH company is planning a cloud-native share of 25 to 50 percent in its own IT infrastructure by 2022, then this means nothing other than that users must place their software projects on a DevSecOps foundation. Through DevSecOps, requirements of developers, operations professionals, and security experts alike can be addressed.

Developing cloud-native apps agilely, deploying quickly and operating securely – for this to succeed, DevSecOps and a cultural change are needed. “Anyone developing applications in the public cloud for the public cloud needs to integrate security into the app lifecycle,” says Marc Schröter, CEO at globaldatanet. “But when companies look at the public cloud with a more traditional understanding of security, that can lead to problems,” says Mario Apitz, Founder & CEO at Alice&Bob.Company. Both providers specialize in security and have been involved since last year in the Cloud Native initiative of EuroCloud Germany, EuroCloud Native (ECN) as founding members.

Working agilely in small teams, developing quickly, and focusing on speed: “Many security breaches in the cloud occur because users don’t know their way around properly,” Schröter says. “Companies too often view security as an appendix.” For example, in how teams are put together. “For every 100 developers, there are usually 10 operations experts and 1 security specialist,” says Apitz. As a result, developers are being asked to do more and more. Not only do they have to translate customer requirements into features, cost-optimize applications, and evaluate the latest cloud innovations, but they also have to ensure secure software at all times.

Just how difficult this balancing act is is shown, for example, by container technology. Containers are DevOps tools that can be used to deploy and manage scalable apps. “It's very convenient for developers because containers can be provisioned en masse within seconds,” Schröter says. “But operating them safely requires know-how that is often lacking,” Apitz says. As easy as containers are to use, they are often configured insecurely. This lack of expertise can also go hand in hand with unclear responsibilities, as another survey by GitLab from May 2020 shows: Not just one in four developers (25 percent) feel responsible for security, but also almost one in four testers (23 percent) and operations professionals (21 percent).

“DevSecOps needs a different mindset,” Apitz says: “Enterprises need to see security as an integral part of their cloud strategy. Security must be mainlined into software code and understood as a quality dimension from the start.” Schröter: “Hyperscalers are delivering innovative features on a weekly basis. Anyone developing cloud-native applications must also consider these dynamics.” Take, for example, Amazon Web Services: On average, one in four services published by the hyperscaler targets security. If companies have organized their IT operations in a more traditional way up to now, they quickly reach their limits with this approach.

“In the past, if you built a data center, you put multiple firewalls from different vendors in a row, and you thought of that as security,” Apitz says. “However, security functions can be implemented cloud-natively via the public cloud,” says Schröter. New concepts are in demand, as ISG expert Heiko Henkes also points out in the German-language white paper Cloud Native as Imperative for Digital Transformation which the consulting firm published in cooperation with the ECN Alliance partner claranet: “Companies and vendors are finding that security implementation can’t be an afterthought.” DevSecOps replaces DevOps and implements security principles as a standard feature.

What are the recipes for success? “For example, companies need to train individual developers to become cloud security experts,” Apitz says. “Then these employees no longer evaluate IT tickets only from a feature-oriented perspective, but also a risk-oriented one.” The white paper by ISG and claranet also recommends that it helps to change the perspective on one’s own work and to establish new roles and functions. Accordingly, DevSecOps goes far beyond dovetailing IT and business, but instead requires more intensive collaboration with new roles. What else is recommended? Schröter: “Anyone who wants to integrate security into app development complements their new way of thinking and working with suitable tools.” Whether firewalls, encryption, security or policy groups – automated security functions can be monitored and misconfigurations prevented. The advantage for developers: The tools make their work easier.

Fend off cyberattacks with artificial intelligence, automatically detect and disable corrupted virtual machines, express identities via software code, monitor API access in an audit-proof manner, and build zero-trust architectures in which people can authenticate Microservices via certificates: “The standard scope of the public cloud offers all the functions and services to implement security-by-design concepts off the shelf,” says Dr. Nils Kaufmann, who heads EuroCloud Native. “In this way, users achieve a high level of security at a manageable cost.” To ensure that more and more companies become aware of the advantages, the ECN wants to impart know-how. Kaufmann: “There is no way around a topic like DevSecOps in this regard.”

When companies want to develop cloud-native applications in the public cloud for the public cloud, there is a great willingness, especially among SMEs, to also get help from cloud-native providers . “SMEs are focused on their core business and like to use external experts often,” says Apitz. What is clear beyond that: “Once SMEs have arrived in the public cloud and have experienced the cloud-native benefits, there is usually no going back,” says Schröter. “Once you're in, you'll definitely get a taste for the public cloud.”

Nils Klute is IT Editor and Project Manager Communication Cloud Services at EuroCloud Germany. He is responsible for content marketing activities on topics such as GAIA-X and AI, supports initiatives such as Service-Meister, EuroCloud Native or systems integrators on their cloud journey. Prior to his start at eco in 2018, Nils worked as a corporate journalist for IT corporations (like SAP, T-Systems, and QSC at Cologne-based communication agency Palmer Hargreaves) and previously held public relations positions at market and economic research institutions.