The Public Cloud: secure foundation or quick-fix?
Over the past few months, I have spent quite some time talking about public cloud adoption with partners and customers. These talks thought us that public cloud computing can certainly have several (widely advertised) advantages such as agility and a lower total cost of ownership (TCO), at least when the required knowledge is in place.
We also learned that, from a security point of view, the way an enterprise incorporates public cloud technology is highly indicative of its overall (security) maturity level.
- Does ad-hoc adoption prevail? Or is a secure foundation architected first?
- Can the basic hybrid cloud model be scaled to multiple cloud environments (commonly referred to as ‘multicloud’)? Is there an enabling strategy for network automation / orchestration in place?
- To what degree is the organization able to keep an eye on the complete infrastructure? What about mission-critical or compliance related data?
Public Cloud usage does not benefit from a traditional “Lift and Shift”
Incorporating the public cloud into your overall architecture requires some thoughtful planning and a good assessment of which applications and data can and (above all) should be moved to the public cloud in the first place.
An application that runs 24/7 and that can be scaled with minimal operational margins does not really fit into a public cloud usage model. True TCO improvement lies within the granular scaling of an application according to the need, the so-called ‘pay-as-you-go’ model.
This also means that the adoption of public cloud resources does not benefit from a ‘lift-and-shift’ approach in which traditional static on-premise workloads are migrated to an Infrastructure-as-a-Service platform within the public cloud. This just comes down to renting virtual server instances and is often more expensive if you consider the TCO over multiple years. You lose true agility, the key driver in overall cloud adoption.
In support of an agile development process
Up until today, we see customers mainly leveraging public cloud resources to support their agile development process, using tried and tested application development stacks. Once finalized, most of the delivered applications are brought back to the private (cloud) environment to be put in long-term production.
The public cloud is primarily suited for the creation and delivery of so-called next-generation ‘cloud-native’ applications, using the granular building blocks and security controls provided by each of the cloud service providers. Serverless computing is one example. The key question you should ask is: how many of those true cloud-born applications are you creating, or maybe even running, today? And how do you prevent vendor lock-in along the way?
Public Cloud: a wildcard in terms of operational security?
In the next few years, most of our customers will experience an operational improvement that goes hand-in-hand with a continuous quest to find the right, evolving balance. A balance of new applications built for (and within) the cloud, and legacy platforms residing in a traditional datacenter / private cloud.
The cloud’s biggest advantage is that complete environments can be spun up and tore down in a blink without passing through traditional provisioning processes. With a big emphasis on agility and the need to meet ever more aggressive deadlines, operational security is often seen through a rear-view mirror.
In terms of security, a correct balance is equally important. The adoption of public cloud technology should not mean we provide developers with the ‘keys to the kingdom’. You do not want to interfere or mitigate the agility advantage, but it is paramount to have the right checks and balances in place to ensure business continuity.
At SecureLink, we aim to support the cloud builders within our customer base in the following ways:
- We help you assess your current security posture and provide you with actionable information about gaps, weaknesses and risks.
- Assist customers with the adoption of a Secure Software Development Lifecycle (SSDLC), by implementing effective workload security, proper identity management and micro-segmentation
- Build and manage secure interconnectivity between the different cloud environments, both private and public
- Security should follow the application: leverage key automated integrations, both within our solutions and the different cloud orchestration frameworks.