Building apps on Amazon Web Services, often led by technical operations (or DevOps) and driven purely by business needs, tends to focus on building and delivering functionality in as little time as possible. The flexibility and agility available with AWS allows teams to build an app or a business process from conception to production rollout.
In their 2013 Forrester Wave: Enterprise Public Cloud Platforms, Q2 2013[i], John R. Rymer and James Staten identify three key developer types with specific backgrounds, preferences and motivations and their differences based on how much control they want or need:
- DevOps pro;
- Rapid developer.
When you look closely at the motivation or ‘drivers’ behind their work, the report implies that it is often all about programming and coding something spectacular – a great process, a great app – and doing is as quickly as possible, but I didn’t get the sense that security was in the top 5 list of importance when it comes to building on any public cloud. in record time. From an organizational standpoint, ‘cloudifying’ business processes or creating a new app that improves customer experience so quickly creates a difficult to resist rapid try-fail/try-grow cycle.
When something can go from a concept to customer-ready functionality in a flash, who wouldn’t want to take advantage? Or, more to the point, who is?
Of course, there has been a lot of excitement around cloud security and questions about how secure it is or it isn’t. Ask yourself: are you ready to get in the game? Are the security standards you expect in your datacenter the same as you expect (or demand) for your public cloud applications? Then again, are the security standards in your datacenter infrastructure as good as the infrastructure that you can rent from AWS – but this is perhaps a topic for another day?
Unquestionably, AWS adheres to top industry best practices; however, the company is very clear about the demarcation between their and the AWS customer’s responsibilities. Security is a shared responsibility with its customers. Amazon handles everything to do with the infrastructure, but security for the instance operating system, applications and software infrastructure, Mr/Mrs. Customer, is in your hands. Make no mistake, AWS has covered all their bases, but the security required (Regulatory Compliance included) for the apps and business processes YOU build are fully your responsibility when it comes to firewalls, encryption, antimalware, etc.
In his February 2014 Forrester publication, Principal Analyst, Ed Ferrara, provides a deeper dive into AWS Cloud Security, describing what security and risk professionals need to know about AWS services and controls, but it also cautions that users must “engineer the correct security atop AWS. AWS provides key security building blocks, but it’s still your responsibility.”[ii]
Let’s face it, public cloud development has the potential to allow DevOps to side-step the normal procedures that are otherwise part of conventional datacenter practices – particularly when it comes to security. As many have learned, security is frequently a ‘bolt-on’, with very little thought given to the sophistication of the app, the platform or the infrastructure itself. Any ol’ security brand will do, won’t it?
You already know the answer.
AWS Marketplace was set up with all the tools and opportunities for DevOps to create outstanding and safe applications, from the start. Everything required to ‘play the game’ of public cloud is right at your fingertips. The task is to think about security from the start and not just any ol’ brand, but one that is in-line with the specific needs of the project, the apps, the platform, the organization.
You’re invited to comment and share your thoughts about public cloud security, especially from the DevOp community. Maybe the DevOp community is thinking about security from the start. Let us know.
[i] “The Forrester Wave ™: Enterprise Public Cloud Platforms, Q2 2013 One Size Does Not Fit All Developer Needs” (Pages 3-5), by John. R. Rymer and James Staten, June 14, 2013 | Updated August 8, 2013, Forrester Research
[ii] “AWS Cloud Security” (Page 1) , by Ed Ferrara, February 5, 2014 |Updated February 21, 2014, Forrester Research