ALCG Journal by Andrew Lehman 

Entries in security (2)


DevOps and The Cloud


"DevOps" is a hot concept in corpoprate IT today. It's emblematic of the lighter, faster, more agile IT operation that is aspirational for corporations seeking to eek out more competitiveness from their IT dollar. It shows you're part of the solution, part of the "just-get-it-done" and "why-were-they-all-so-slow-in-the-old-days" IT business thought leadership.

Like many "new" IT concepts, more on that later, the exact meaning of DevOps is open to debate. And also like many new ideas in IT, the new hotness that is DevOps is mostly an amalgamation and repackaging of existing concepts updated to take advantage of the new technology landscape. 
In fact, from an implementational perspective, the bulk of what is novel about DevOps is as much or more about a reshuffling and redefining of organizational roles and responsibilities as it is about the process of Development or Operations.

Much of in-house DevOps is actually Cloud-Driven
The changes to the Ops part of DevOps is really more driven by Enterprise Infrasructure moving into the cloud. A few things are happening. Enterprise cloud is moving from in-house to hybrid to public as cloud offerings mature and corporate decision makers are becoming more comfortable with cloud security and dependability. In fact, if anything, the huge security breaches of the past year have served to demonstrate that keeping computing in-house does not provide the security advantages corporations assumed. Also, the balance of what the enterprise is purchasing from cloud service providers is moving up the stack from from IaaS towards  PaaS and SaaS. One important consequence is that the practice of Enterprise IT Infrastructure management itself is therefore also changing as what the Enterprise teams are managing changes.

As the web has been changing from a static medium into a collection of dynamic web-based applications, what Enterprise IT develops is also changing. On the web and in the enterprise, disappearing are the days when large, monolithic multi-functional applications are released on a annual or semi-annual basis. The enterprise has been moving out of huge monolithic applications and into an enterprise service bus architecture and will continue to evolve right out into to modern dynamic web--developers are developing micro-applications designed to interact directly with users and other applications directly. As the Internet has evolved, so have the users' and the applications that interact there.

Ironically, the massive security breach revelations of the last year have laid bare the vulnerability of enterprise networks and not the vulnerability of the cloud as many feared. Perhaps because everyone, both vendors and enterprise IT organizations, were focused on the nacent risk posed by possible cloud security shortcomings, the extra focus put into ensuring cloud implementations are secure has resulted in the enterprise networks, and not the cloud infrastructures, being the soft targets.

DevOps is about the new world of smaller, web and cloud based apps and how to quickly and cost-effectively design, build and support them. Because release cycles are drastically abbreviated, coming much more frequently, the only practical solution is to have the team that develops the applications also be the team that supports them. When releases come so frequently, there is little time to bring a separate team up to speed to do technical support. And, since most developers don't want to spend a lot of time doing technical support, this has the added benefit of encouraging them to develop less bug-prone releases, since they maintain front-line responsibility and pay the consequences for application problems. Apps are smaller, development is faster, responsibility is more focused and as everything continues to accelerate, the stakes are higher. More than ever, companies need to shed non-core activities, increasing focus on their core competencies, and make good use of partners for everything outside of their lines of business and areas of expertise directly supporting that business. So, the role of IT is shifting in support of this new role consisting of an increased emphasis advise, strategy and increased reliance and supervision of partners and service providers. 



To The Cloud? Yes, I still think so.

Recent revelations about the risks associated with depending on cloud-based storage and applications (Amazon’s cloud outage) have again raised questions about the suitability of cloud computing for business. Equally unsettling are the continuing major security breaches, like the compromise of the Sony Playstation Network user information and recent revelations about security shortcomings with Dropbox. The thing to keep in mind here I think is that with proper preparation, planning and attention to detail these problems were all avoidable, or their effect could have been mitigated. 

A major part of IT is knowing what can go wrong and planning what to do when it does. All systems can and almost certainly will fail at some time. To be incensed when they do really only indicates that someone didn’t plan properly for the eventuality or has unreasonable expectations, or both.  

Those who knew that they had no tolerance for downtime and planned their strategy and systems accordingly made it through the outage without a loss of their critical services because they had built and tested systems to fail over to in the event that their resources on Amazon became inaccessible. 

Likewise, Sony should not have been keeping unencrypted user data out on the Internet. It would have been prudent to have stored the data in an encrypted format, given that it was sensitive information. Again, this points to a lack of proper care, planning and attention to detail. 

I have to admit I was taken aback and frankly disappointed by revelations about Dropbox’s lax host authentication system, especially in that it is not a complex problem and easily remedied. Although they are now taking steps to remedy the problem, it’s disappointing that it took a public outcry to shame them into plugging the security hole. But, here again, prudence would dictate encrypting sensitive data before putting it out in a public cloud where security is out of your control. 

I still think the cloud is an excellent resource, especially for small and medium businesses, and I would not discourage anyone from using it. But I think it is necessary to have a resource, either in-house or a consultant, who can ensure you are using the right solution and properly mitigating your risks. Today’s small/medium shop needs a resource who understands how things work and can effectively manage vendors and partners - the cloud and service providers - to ensure you are getting what you need.