Organizations in the tech industry are feeling tremendous pressure to modernize due to the following factors:
I believe that the modernization of applications is essential for a digital transformation.
What is one of the biggest barriers to public or private cloud transformation efforts? You guessed it: Security, compliance and privacy are all barriers to the modernization efforts (on top of an organization’s resistance to change, cost, skill-set gaps, etc.) Application modernization accelerates understanding and mitigates your security exposures in the following ways:
How can you help your organization accelerate through roadblocks to resolution?
In my experience leading my company’s application services, I’ve seen how the digital transformation of application revolves around these four pillars:
This is assuming you have defined all the unique market differentiators, business architectures and capabilities for your modernization journey (typically TOGAF EA framework). All four pillars only operate if secure by design, so a couple of hard security questions you need to answer are: What are the top threats to public and/or private cloud computing? How will we protect networks and data in the era of GDPR?
The following is a framework or process blueprint that attempts to answer the hard questions.
Step 1: Leverage DevSecOps for applications.
IT security and DevOps are converging to empower teams to deliver secure by design apps forming a DevSecOps practice building security into every phase of the software. DevSecOps framework results in improving app security and reducing cybersecurity risks and costs while increasing applications time-to-value.
Establish three pillars for your DevSecOps framework (refer to my previous Forbes Councils article for guidance on creating the operating model aligned to business priorities):
To address this, establish a holistic end-to-end automation framework to securely deploy the applications with automated code and security quality checks reducing the vulnerabilities. For example, consider adding continuous security validation with both static and dynamic security code analysis (e.g., Veracode or WhiteHat) and get continuous monitoring of your app stack and pipeline dynamically with no configuration to close blind spots (e.g., Dynatrace or AppDynamics).
Step 2: Leverage Cloud Security Alliance (CSA) resources to jump-start risk assessment.
Leverage the following artifacts to jump-start assessing the overall security risk of a cloud provider after you establish a DevSecOps practice:
Step 3: Adopt emerging containers technology to enable DevSecOps to migrate your legacy app workload to a public/private cloud platform securely.
Emerging infrastructure is driving the rapid growth of containers and container orchestration platforms (Kubernetes) as a part of DevSecOps. According to Gartner, 75% of enterprises will run apps in containers by 2022, versus 30% of companies today. I recommend adopting Kubernetes to enable DevSecOps with capabilities (making sure out of the box containers security features are implemented, i.e., Kubernetes Secrets, secure registries, etc.) to reduce attack surface with min privileges):
So, with the above frameworks process blueprint let’s champion “secure by design” for organizations to jumpstart digital trust ecosystems increasing speed to market. Let’s empower all the stakeholders (business decision-makers, security, app dev) with actionable metrics (mean time to resolve, time to deploy, cycle time) to better understand the present state of security and compliance risk, and to drastically improve the organization’s performance by accelerating application modernization.
The blog was originally published on Forbes.com