Companies have been steadily moving to a hybrid cloud infrastructure, but once your data moves beyond private architecture, you face potential attacks that legacy security measures can’t address. To learn how to best protect your enterprise and data, join GoDaddy’s VP of engineering and others at this VB Live event!
One of the most pressing cloud security concerns in 2019 is the additional responsibilities being placed on development teams, says Demetrius Comes, VP of engineering at GoDaddy. Due to DevOps, teams are being given additional operational responsibilities, and due to zero trust networks, they have additional security responsibilities.
“We have to ask if we’ve prepared our development teams for these extra responsibilities,” he says. “We’re asking them to not just understand how to build, deploy, and operate our software, but also how to secure our software. And we have to make sure we’ve prepped those teams for this rather large piece of responsibility that we’ve started to move back to them.”
As GoDaddy goes through its own migration to the public cloud, they’ve worked to build in that responsibility from the ground up, Comes says.
“We did this by taking a step back and saying, how do you build an environment that allows the teams to move fast — and get out of their way as much as possible — but still puts governance in place so we can catch teams coloring outside of the lines?” he explains. “At the same time, you don’t want to stop the business from being profitable. Otherwise you have nothing to protect.”
The first step was standardizing the company’s architectures and infrastructure for all its products and services. For example, using a template of their microservices architecture (usually an API gateway, or a load balancer to an API gateway, to some sort of containerized backend, to some sort of data store), they have experts in house determine the most secure way to lay out that infrastructure and bless that template. And then they instance that template over and over again for teams going out, and then on to templatize and secure the second-most used architecture or infrastructure layout and so on.
After you get four or five of those, if a new team comes along and says they have a new way of doing things, you can start asking questions like, why? Do we really need to do that? Look at all the hours we’ve poured into this footprint.
“With the power of the public cloud, we can trust and verify,” Comes explains. “We can not only ensure that when we first allow those teams to go out that these infrastructures are secure, we can also verify that they haven’t strayed from that architecture.”
Training and awareness is also essential, he says, and they handle that with the application services team within their CTO organization. It is essentially the cloud excellence team, he explains, a dedicated charter to application security and application security awareness. It encompasses not only training, but also talking to teams and building automated tooling so that any time a team deploys software, it automatically triggers a vulnerability scan.
GoDaddy is itself very early in this process, but Comes believes that as they move forward in the public cloud realms, there’s going to be less and less infrastructure to attack, because everyone is going to start working off these templates.
“It really starts to say, we’ve had our best experts look at the infrastructure — there aren’t any holes there,” he says. “The only place to start to attack us is the actual application. So then we have to shift that awareness and that training to our developers so they can also write secure software.”
In the end, it’s about governance, Comes says. Companies develop policies that fit with government regulations, as well as what the company itself believes in. Those things get translated into standards, and best practices around those standards are implemented, and governed. But governing your software developers is a surprisingly tricky tightrope.
“Like anything else, you can apply enough governance to everything that you actually stifle creativity and stifle development,” he says. “To me it’s a balancing act.”
There are so many different ways of doing the same thing, he explains, and it’s dangerous to get to a point where the rules say, here’s the only EC2 instance you’re ever allowed to create, here’s the only ABS volume you’re ever allowed to create, they all must be encrypted, they all must have this characteristic.
“If you do that, you take the creativity and the reason why you pay your software engineers out of the equation, because you’re just saying everything is the same.” Comes says. “Everything is not the same. You have to have enough governance to keep yourself safe. You have to have enough ways to trust, but verify. You still have to poke at it and make sure they haven’t come up with a new way to get around your governance. But give them enough flexibility so they can actually be creative and solve the problems you’re asking them to solve.”
To learn more about the competitive advantages of moving to the cloud, how to keep your infrastructure secure at every stage, security best practices, real-world case studies, and more, don’t miss this VB Live event!
Don’t miss out!
- Why you need a single, fully tested, security-first infrastructure platform
- How to converge storage, computing, and networking
- A full understanding of security best practices
- How to protect against data breaches, unauthorized access, and other threats in a multi-cloud world
- Demetrius Comes, VP of Engineering, GoDaddy
- Niel Ashworth, Security Solutions Architect, Nutanix
- Mike Wronski, Principal Marketing Manager, Nutanix
- Dave Clark, Host, VentureBeat
Sponsored by Nutanix