This week's book giveaways are in the Jython/Python and Object-Oriented programming forums. We're giving away four copies each of Machine Learning for Business: Using Amazon SageMaker and Jupyter and Object Design Style Guide and have the authors on-line! See this thread and this one for details.
This is really a big question but I'll give it a try
Moving an application from on-premise (non-cloud) environment to the cloud isn't an easy task. Some believe it's just a matter of switching data center and cutting costs, but the truth is, designing software to be cloud native is a challenge. For example, when running applications on-premise, you might have made assumptions that inherently are less secure – for example, how log data is stored (on a non-encrypted disk? on the same server?) or how credentials are handled within the application (maybe they're hardcoded or placed in property files?). Consequently, going to the cloud requires deep skills in a development team. Everyone needs to be aware of how data is exposed, where it resides (is it in Europe, US, China?), if there are any legal requirements that need to be address. How is data stored at rest - encrypted or not? The questions are many.
But this doesn't mean that you should avoid the cloud. On the contrary, it means that you need to be aware of the challenges before doing so. A good practice could be to prepare your team / organization by reading books, attending conferences, etc before "just" moving the software to Azure or AWS (or some other cloud vendor).
Regarding DevOps – I think this is a fantastic movement. All this freedom and flexibility. DevOps finally allows you to build great software and run it, but wait a minute... run your software in production, set up your infrastructure, account management... All this flexibility also brings an equal amount of responsibility! Commisioning / decomissioning servers, configuring networks, dealing with certificates, ... all of this requires profound knowledge and insights in security and how it should be done. This means that if you don't do this correctly, then you'll be in deep trouble. For example, when moving to the cloud and adopting the DevOps culture, you quickly realize how easy it is to set up a new environment. This all sounds great becuse now you have "infinite" number of test envioronments – but this is where the danger lies. What you get isn't infinite number of test environments, you get infinite number of production environments! Each environment in the cloud is equally potent as your production environment (the only difference is the data in your databases right?). So, if someone steels your access keys to a "test" environment, then they could fire up new server instances to mine bitcoins, perform DDoS attacks, etc.
So all in all, should you avoid the cloud and DevOps? No, definitely not. This is exactly as with all other things. You need to know what you're doing and do proper analysis before taking the step.
posted 1 week ago
Big thanks for giving great insight over my broad question.
Sounds like developers will be more integrated to several security aspects in the development - which I think is good.
They worship nothing. They say it's because nothing is worth fighting for. Like this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps