From account to application: safe at all times in the cloud
The cloud provides a canvas on which all the building blocks for IT environments are already in place. You can use these to create many magnificent structures. Without a solid foundation, however, structures such as these can collapse with the slightest tremor. A Cloud Landing Zone provides this foundation.
In short, this is a framework of best practices and guidelines within which organisations can carry out cloud migrations efficiently and securely. The benefit of a Landing Zone is that, depending on the needs of the organisation, parameters, or, in IT, so-called guardrails, can be set which determine the usability of applications and data.
Like their physical counterparts, these guardrails ensure that you don’t swerve out of control with disastrous consequences. Speed is one of the cloud’s strengths, but also one of its risks. Guardrails, therefore, simply ensure that you stay on the right track towards the cloud and can operate safely in it.
The challenges of a Landing Zone
Sounds good, right? However, it often turns out in retrospect that the foundation is less stable, or that the guardrails are loose on a few dangerous bends – in short, that your cloud environment’s settings are leading to security risks. Usually, this is not a matter of unwillingness or lack of skill, but a result of the different mindset that cloud security requires compared to traditional architectures.
For example, we are seeing many organisations struggling with the Zero Trust-model. With this model, you basically monitor and act within your network as if an intruder is always present. Zero Trust is at odds with the traditional ‘castle model’ that IT managers are used to, where the focus is mainly on the outer walls (read: firewalls).
Before an organisation can make optimal use of the gamut of powerful security tools that the cloud offers, a fundamentally different way of thinking is required. This starts with a thorough analysis of the business needs and an in-depth discussion of all the security aspects a Landing Zone has to deal with, such as issues relating to ID and access management, logging, redundancy of systems, governance, and so on. This discussion is broader than IT, with stakeholders such as the compliance manager, CISO, CTO and even the business manager needing to arrive at a workable situation together.
The move to the cloud affects the entire organisation, so it is necessary to view this move as a strategic issue for which support must be created. And just as every organisation is different, a Cloud Landing Zone takes on a different form for every organisation. For example, a bank will have very different requirements for logging than a sports club. Which is why, in order to set up a Cloud Landing Zone properly, specialist knowledge is required on two fronts: knowledge of all the ins and outs of the cloud and knowledge of the organisation.
Fast and secure application development on your Cloud Landing Zone
A secure Cloud Landing Zone is not enough. A large part of the critical security risks can be found in the layer above it – the applications that run on the Landing Zone, which is not surprising, given the speed at which applications evolve. Because while the underlying technology of a cloud environment is constantly improving, changes at the application level are much faster – after all, they have to keep up with the speed of market needs. And the reality is that, because of this, security soon becomes the poor relation within development teams.
A different mentality is also needed at application level to guarantee security. The pen test that takes place each year – or every six months – is insufficient, especially if you roll out updates several times a week. If you’re looking to act quickly and safely, you need to apply a continuous feedback loop. So you basically break the pen test up and spread it out over the whole year. It is best to test with any software updates. To do so efficiently, in terms of costs or otherwise, you should test only those parts of your environment where changes are released.
By continuing to test consistently, and continuously pointing out security risks to your developers, security remains top-of-mind for them, without affecting their ability to make headway with their releases. And importantly – given that you don’t have to be constantly carrying out large-scale pen tests – you remain agile as an organisation. There is a reason why we call this test method Agile Security.
Automation or manual work?
It is best to automate as much as possible. Automation provides cost efficiency and economies of scale, which makes it a key component of both Cloud Landing Zones and Agile Security. This way, automation can ensure that your Landing Zone not only remains maintenance- and cost-efficient, but also that it continues to meet the needs of your organisation. This is because these needs can be defined as code against which any changes can be assessed. If, for example, changes to the Landing Zone do not comply with what has been agreed, they will be blocked.
Although certain processes can be automated, a human element remains necessary if, for example, complex logic is required. You could compare it to a spell checker which can assess perfectly well whether you have your there, their, they’re correct, but not whether your text actually makes sense. Which is why an organisation should never shy away from finding the experts with the necessary knowledge – in the form of recruiting staff or by bringing in an external partner.
Unique security from your IT infrastructure to your application(s)
At Solvinity, we see the importance of security as a common thread running through your entire organisation, processes and IT environment. Which is why – particularly for ISVs and companies developing their own applications – we offer a unique service portfolio in the Netherlands that takes care of security from A to Z – from setting up your Cloud Landing Zone and Security by Design to secure management of the environment and testing security at application level with, for instance, Agile Security.
Working with our clients in a ‘stretched’ dev(sec)ops construction that is in line with our Integrated Delivery software release model allows us to ensure predictable software releases without you having to compromise on speed or security. This makes us one of the few service providers that assist software developers from start to finish.
Sign up for the Solvinity Newsletter
Receive the latest news, blogs, articles and events. Subscribe to our newsletter.
Better insight into cyber criminals and continuous validation of your security? Read in this blog how...READ MORE