Aligning your cloud Solutions Development Lifecycle (SDLC) with the security implementations that safeguard it is a continuous process of coordination and calibration.
We suggest using a Cloud Solution Lifecycle (CSL) model to guide and organize security implementations to ensure your cloud solutions are secured against threats at every stage of development – from planning and design to deployment and optimization.
In this blog, we examine the 8 phases of the CSL process, their respective cloud security activities, and 2 major operational principles that maximize security implementation development efficiency.
How a CSL works
Whether migrated from on-prem or cloud-native, all created solutions and security implementations traverse the 8 phases of the CSL. The process can occur once during a solution’s development or through multiple progressive iterations as it is designed, migrated, and optimized.
The CSL acts in parallel with your SDLC methodology and represents a continuous cycle of security development to match regular solutions development.
An effective cloud security posture manifests itself efficiently and pervasively throughout the CSL. It anticipates, prevents, and resolves security threats at each phase. The 8 phases of your CSL and their associated cloud security activities are:
1.
Plan: Align security implementations with cloud enterprise objectives to formulate each solution’s optimal future state from the beginning!
2.
Setup: Design on-cloud solutions’ infrastructure and accommodations:
○
Architectures
○
SDLC synergies
○
Controls
○
Configurations
○
Ecosystem domains
3.
Migrate/Build: The actual act of migrating on-prem solutions to, or building cloud-native solutions in, the cloud.
4.
Test: Evaluate solution test builds against initial objectives, making adjustments and calibrations accordingly.
5.
Deploy: Go live with the solution operation in your targeted cloud environment.
6.
Monitor: Capture and analyze performance data.
7.
Manage/Operate:As your cloud performs its duties, be on the lookout for common operational issues and any emergent needs for improvement.
8.
Optimize: Resolve identified issues with patches and retrofits, and prepare for future iterations. Don’t overlook the need to train people in how to use both your original implementation as well as these fixes.
2 Operational Principles for an Effective CSL
Effective CSL management relies on 2 operational principles that affect solution creation and management capabilities: 1) shifting cloud security upstream; and 2) aligning the CSL with an Agile DevOps methodology.
Shifting Security Upstream
Prioritizing start-up speed over thorough security planning can result in costly post-deployment retrofits across both on-prem and cloud environments. Here are a few examples of what could happen if you make this mistake:
•
Predominantly Infrastructure-as-a-Service (IaaS) cloud configurations to retain development “autonomy” prevent you from exploiting cloud microservice efficiencies.
•
Lifting and shifting applications, workloads, solutions, and their on-prem processes without factoring for cloud compatibilities, which wastes the performance opportunities inherent to cloud-based operations.
•
Retaining on-prem design norms – e.g., favoring on-prem VMs over cloud-native solutions, inhibiting cloud optimization.
Allowing such mistakes to occur saddles CloudOps with additional costs, some long-term, as the built-in deficiencies require follow-on patches/fixes/releases to resolve. These delays and re-works can disrupt your SDLC development cadence, undermining both cloud operations and internal support for the whole cloud enterprise.
Integrating security as far upstream of the CSL as possible minimizes disruption by establishing optimal states and their security needs early. Use the Plan, Setup, and Migrate/Build phases to 1) design based on security and performance requirements; 2) define their developmental trajectory; and 3) formulate contingencies for evolving requirements.
Optimal future state design should be conducted even when misalignments between solutions and implementations are inevitable. Mapping the desired levels of security optimization for deployments enables accurate projections of how deferment could impact security architectures.
“Future State” analysis factors include:
•
Solution security profile, changes to threat surfaces, and emergent risks
•
Threat surface management practices for the unoptimized solution, the optimization retrofit, and post-optimization
•
Financial and other operational costs of maintaining unoptimized solutions
•
Roadmap to identify weaknesses, devise fixes, and deploy retrofits to integrate security implementations and solutions development
Shifting security upstream provides stronger and earlier design-integrated security benefits that foster cohesion between solutions, implementations, and security infrastructure.
Aligning the CSL with Agile DevOps
Your CSL footprint of solutions and security implementations is constantly changing as each phase’s security requirements evolve. An Agile DevOps approach is needed to effectively anticipate, adapt to, and resolve expanding threat surfaces:
•
Design security implementations and architectures to manage each phase’s unique threat surfaces. Remember to design based on security needs, target performance, and operating costs.
•
Plan and design for how optimal solution states change throughout the CSL to match changing cloud objectives and enterprise configuration needs.
•
Optimal solution states must adhere to the CSL’s overall security paradigm (e.g. don’t deploy an as-a-service model at any particular phase if the general CSL security paradigm is shifting away from it over multiple phases).
•
Map synergy points where both solution and implementation development converge to enhance developmental efficiencies and ease deployment integration.
Failing to maintain cohesion between solutions and security development causes the two processes to fall out of sync, creating security gaps as security implementation development lags behind. Keeping them aligned is crucial to prevent spiraling complexity, costly security retrofits, and slowed cloud growth.
It is critical to ensure your cloud solutions are paired with security implementations that answer their evolving needs. Consult expert advisory for help integrating both processes for effective, efficient, and united cloud solutions development.
There are many, many “spillover” points when designing an integrated CSL and SDLC. Wavestone Cloud & Security experts have charted this path thoroughly.
Talk to us for guidance on aligning your SDLC with effective and efficient security development.
Keith Worfolk
Director - Digital & Cloud Strategy
Keith is a client-focused IT executive, innovation expert, and trusted industry advisor with a consistent record of delivering visionary enterprise and Cloud solutions, platforms (IaaS, PaaS, and SaaS), and BI/analytics and AI/ML solutions via secure, scalable architectures for growing organizations.
Laying the Foundations: The 4 Core Competencies of Effective Cloud Solutions Security
Sep 21, 2023
Implementing effective cloud solutions security is complex. Solution security architectures must be initially done with minimal mandated standards, then built progressively, with additional layers of security built on foundational capabilities. In this first of a 3-part series on safeguarding cloud solutions, we examine the 4 foundational capabilities of effective solutions security and best practices to implement them.
Wavestone Named to Forbes World’s Best Management Consulting Firms 2023 List
Sep 19, 2023
Forbes has once again recognized Wavestone in its annual “World’s Best Management Consulting Firms 2023” list. Read our blog for more information about the ranking and Wavestone’s award-winning business and technology consulting services.
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.