Unlike many new economy players of the late 1990s, notable dotcom brands of today have staying power, not only due to more viable SaaS business models, but also due to their effective use of an increasingly mature set of cloud computing services. The likes of Uber, Airbnb, Dropbox, Netflix, and others have fundamentally changed how we get ourselves, and files, for that matter, from point A to point B and how we view content when we get there. These market leaders have disrupted established markets by not only recognizing that we, the consumer, want to do pretty much everything on our smartphones (including requesting a ride) but also, more importantly, by leveraging the agility of the cloud for continuous innovation and, thus, competitive advantage. It’s the speed of DevOps and the old guard better look out, unless the disrupters themselves get disrupted.
So, what’s the risk? How could these locomotives with massive valuations get derailed? As more assets move to the cloud, it’s arguably one-stop shopping for attackers seeking a treasure trove of data. These new new economy vendors share a stark reality with their more traditional competitors; they too are one breach away from a tarnished brand and a massively expensive incident response engagement. What, then, is so different about securing these environments?
At the end of the day, these cloud-native companies' infrastructures are still all servers and the data they create and access, right? Sure, but the make-up of these environments and the DevOps methodologies employed to managed them are different enough from on-premises data centers that a few things bear noting. Specifically, today’s new new economy data centers are:
- Based on transient resources
Despite these differences, what is absolutely the same between public cloud and on-prem infrastructures and deployment models is that good security hygiene starts with configuration management which treats security just as important as speed. In the on-premises world we talk about gold images and ghosting machines. The cloud corollary includes configuration automation tools such as Chef and Puppet which make it so for the software-defined approach. In both cases, immutable security controls including firewall configurations, monitoring tools, and data encryption need to be baked in as part of the gold image.
While established vendors race to close the agility gap by moving some workloads to the cloud and consider private cloud platforms for others, the new new economy vendors who have changed how we travel, purchase goods, and communicate, are already moving at the speed of DevOps and need to be sure speed doesn’t kill.