Developers Are Scaling Faster Than Ever: Here’s How Security Can Keep Up
We know traditional security practices can’t support this scale, so how do modern practices allow us to scale security with these architectures?
Join the DZone community and get the full member experience.
Join For FreeLift-and-shift strategies are a thing of the past. Instead, forward-thinking organizations are adopting cloud-native platforms, which offer pre-constructed building blocks to increase velocity and flexibility in the architectures you design. As a result, developers gain an important benefit: The ability to scale quickly.
Cloud-native platforms are the way of the future. In 2021, less than 40% of new digital initiatives were built on cloud-native platforms. However, Gartner predicts this will skyrocket to more than 95% by 2025. It’s easy to see why — faster time to market, ability to scale up and down based on demand, no responsibility to manage core infrastructure, and increased agility make cloud services a good investment.
Developers are increasingly empowered as they get the freedom to make choices on cloud services, feature capabilities, and the tech stacks they use to deliver solutions for customers quickly. Infrastructure teams from a decade ago would be amazed by the scale at which developers can build in the cloud.
While operating at this velocity and scale offers companies many benefits, there are plenty of challenges. For example, developer freedom leads to heterogeneous environments that are further complicated by the sheer size and complexity of today’s application architectures. In addition, cloud service providers make constant changes to their feature capabilities that are hard to keep up with.
Security’s another major challenge amid the increasing complexity and interconnectedness of cloud-native architectures. Unfortunately, traditional security practices have a hard time fitting into this paradigm, and false positives from security tools become a major reason for reduced developer productivity.
One of the tools developers have is Infrastructure as Code (IaC), which can automate deployments, enable fast and frequent changes, and help them manage the complexity of their cloud. However, when security teams cannot keep up, time to market is often prioritized over security risk management. So it’s no wonder that the data shows that over 45% of organizations have reported a cloud security incident.
We know traditional security practices can’t support this scale, so how do modern practices allow us to scale security with these architectures? First, break down the considerations across people, processes, and technology.
People
Cultural challenges are the biggest inhibitor to security practices scaling. Organizations that still have silos between security and development will have a hard time ramping up. For any organization, the journey to build a modern, scalable security practice starts with breaking down these silos and focusing on cultural transformation.
The 2022 Accelerate State of DevOps Report clearly shows us that organizational performance is impacted by culture. For example, a generative culture — which has traits of higher cooperation, shared responsibility, and failure leading to inquiry rather than scapegoating — is associated with better performance.
Your organizational model also needs to be considered and designed for scale. For example, platform engineering is an increasingly popular trend to create cross-functional teams that can operate autonomously and provide self-service platforms for cloud-native developers to build at scale. According to Puppet’s State of DevOps Report 2023, 94% of adopters believe platform engineering helps their organizations better realize the benefits of DevOps, and 68% have seen an increased development velocity.
Security and developer champions programs go hand-in-hand with these trends. They can promote education and awareness across security and development, creating more positive feedback loops throughout the entire organization.
Processes
Once you have your teams on the same page, you need to advance past traditional security workflows so that your processes can also foster higher performance and more collaboration.
You’ve likely heard the term “shift left,” which moves certain functions earlier in the software development lifecycle (SDLC). To improve your security, you must start left at the design phase of cloud architectures, far before workloads have been deployed.
A modern security practice focuses on developer productivity and democratizing security for developers. Good security processes build on cultural changes to empower developers, create shared responsibility, and make it easier for developers to adopt security. In addition, these processes place a heavy focus on eliminating false positives and improving the quality of feedback to developers to drive productivity.
How you measure success also needs to be aligned with these goals. Measuring security risks by the number of issues and their criticality is not enough. Your metrics should help measure security’s impact on the velocity of delivery and speed of resolution. It should include security cost avoidance and quality of delivery. Finally, it should measure the success of security and developer champions programs. Puppet’s report shows 55% of organizations saw improved security by adopting some of these concepts like platform engineering.
Technology
To deliver on those metrics, you need to invest in the right technologies that support your process, designed to address the challenges of scale. This means embracing automation, and it requires you to go all-in on doing everything as code. However, there’s a big payoff here: Scalable, repeatable, and version-controlled security practices seamlessly integrate into developers’ workflows to guide them where they live and prevent tool fatigue.
Managing your large complex cloud environment using IaC lets you manage cloud assets as cattle, not pets. Pets get names and are adopted as family members. Cattle may be identified, but when there are thousands of them, they can’t all get that personal touch and be managed through manual ClickOps-based approaches.
In the same vein, Security as Code (SaC) allows you to better manage the lifecycle of security through code. It lets security teams focus on the strategic work of building best practices that fit the goals of the company and automatically applies these practices at scale in a consistent manner. In addition, it creates transparency for development teams so they understand what is expected of them and lets them follow test-driven development workflows for security features.
Automation-first approaches can also help you identify security incidents faster and quickly react to them incident to contain them. If every cloud asset in your environment were a pet, it would make it that much harder for incident response processes to scale in such a scenario effectively.
The challenges of scale require security practices to evolve. But this evolution is an opportunity to leapfrog forward in maturity and puts security teams in a position to directly enable the velocity of innovation within their business.
Opinions expressed by DZone contributors are their own.
Comments