I recall a conversation with a customer a few years back, discussing the organisational changes needed to become Cloud Native. As was often the case with this topic, a lot of questions were being asked about how to effectively tackle the security team. The basic question was, “Do I need to change my security team, or should I implement Cloud Native security somewhere else?”. My response on that occasion was, to continue managing security effectively, while you implement Modern Cloud Native methods quickly, you need to complement your security function by adopting these skills within your cloud team and ensure strong lines of communication with the security team.
My reasoning was simple. Unless a business or function faces an existential threat due to an unforeseen event, teams and business stakeholders will simply not accept the risks in implementing new ways of working quickly. Changing a fundamental approach to security enforcement, building a common vocabulary across teams, and adopting new tools for automating processes all takes time, and can only be sustained through demonstrable success. This success needs to be seen within the Cloud Native team first and given the time needed to build empathy with existing operational teams and draw them in to new ways of working.
During the last 5 years, we have seen this pattern used in part; perhaps in too many parts. While my discussion and advice to our customer was based on a central cloud operations team, enterprise lines of business have tended to embed operational skills and responsibility within their software development and analytics teams, which has led to some dilution of discipline, especially when it comes to security. It has also meant developers becoming embroiled in automating operational tasks, distracting them from focusing on building code.
Fortunately, we see this being addressed and it pleasing to see more IT leaders being concerned with developer productivity and modernising their infrastructure and security practices by embracing DevOps. Indeed, many are going a step further by creating platform teams, focused on improving the developer experience and working in a manner capable of breaking down the silos of organisation, operational skill, community practices and tooling.
A recent Forrester report “Elevating the Developer Experience” * examined the business benefits of improving the developer experience for organisations, and noted that the top 3 contributors to developer experience are:
- Deployment automation
- Access to open-source software
- Library of application templates.
It’s worth noting that the provision of each these typically sits with the Platforms team and are integral components of the Cloud Native Application Platform framework we share with our customers.
Forrester - Elevating The Developer Experience June 2022Platforms teams hold the unique position of delivering the tooling and automation glue that binds the developer, infrastructure, security, and service teams processes. Importantly, they tend to maintain a product centric approach to building the developer service components that can be consumed on demand and bake in the governance controls that can be applied consistently across the business’s choice infrastructure and cloud providers.
While cloud has undeniably improved software delivery and enabled business to accelerate their digital programmes, they have indirectly contributed to the complexities of maintaining secure software delivery. DORA’s “2022 State of DevOps Report” identified organisations continued increase in Cloud usage, with 76% of their respondents noting they were using single/multiple public clouds, and 42% using hybrid clouds. However, they also noted that the “use of hybrid and multi-cloud (as well as private cloud) seem to have a negative impact on several software delivery performance indicators (MTTR, lead-time, and deployment frequency) unless respondents also have high levels of reliability.
DORA - 2022 Accelerate - State of DevOps Report
Improving reliability involves many factors, with security being one of the more critical, and a priority concern across the IT organisation. A few years ago, engineers’ heads would have dropped into their laptops at the first mention of applying security to their work in a governed way. However now we find it is the most prominent topic of conversation customers want to have. Thanks to DevSecOps, security is now a cool subject that lifts their heads and keeps their attention.
Getting security and reliability right for a Cloud Native Application Platform, where there are multiple layers and domains of automation, means implementing as a set of productised platform services, and supporting a unified approach for software delivery. When implemented correctly, a modern platform service will provide the automation needed to deploy, and run software in a secure manner, as well as providing the abstraction needed to support operational consistency across multiple cloud infrastructure services.
I regard the adoption of these platforms as operational enablers by supporting highly automated pathways for software delivery, and strategic enablers by providing cloud heterogeneity and aiding improvements in developer velocity. I talk about this in more detail in our latest thought leadership paper
* Forrester - Elevating the Developer Experience June 2022
DORA - 2022 Accelerate - State of DevOps Report