This blog. from the Cloud Strategy Unboxed series. looks at how we make cloud adoption scalable by ‘left-shifting’ responsibilities from specialized teams to application teams and developers. For example, allowing them to provision cloud infrastructure themselves directly while ensuring compliance through enforced limitations and automated checks.
On-premise risks are typically managed with assessments and checklists applied to each application and each following update before it can go to production. This works when deployment cadence is once every six months or so, but a scalable and productive cloud requires agility, with daily or even hourly deployments per application.
Such a pace is not achievable when comprehensive risk assessments need to be manually executed on each release. The assessments must be reduced in size for each application, and every effort should be made to automate the remaining checks without compromising security and the compliance posture of the organization or its applications.
The responsibility to secure systems hosted on-premise is borne entirely on the tenant application, which contrasts with hosting on cloud service providers where the responsibility is shared and will vary with service offerings (IaaS, PaaS & SaaS). This shared responsibility model allows many risks typically assessed per application on-premise to be left-shifted to the cloud provider. As a result, these risks could be managed via audit occurring once or twice per year instead of being assessed for each application deployment.
Similarly, with a cloud platform managing the organization’s cloud environments, more risks can be left shifted from the application scope to the platform scope. Enforcement of risks in a cloud platform can often be fully automated using pre-approved infrastructure templates and controls. Platform risks are assessed when related services or associated parts of the platform are changed instead of for each application deployment.
Left shifting the risks means that only a small portion remains necessary for each individual application deployment, many of which can again be automated through pre-approved infrastructure templates, golden machine images, and other strategies.
Ultimately, all this left shifting and automation will significantly reduce the checklist of risks that developers must assess manually. Reducing bottlenecks, increasing productivity, and speeding up deployments and time to market.
The trifecta of enablement
Cloud has fundamentally changed the underlying mechanics of how infrastructure can be provisioned, with a high degree of automation and a flattening of the number of specific actions and privileges required to create an application.
For example, provisioning a database on-premise requires highly privileged actions on behalf of teams such as storage and database admins. The cloud can create on-demand databases that include most of the supporting infrastructure, such as networking, compute, storage, monitoring, and high availability in a single action. Most importantly, these services can be provisioned using pre-approved infrastructure templates that configure the service according to cloud and organizational best practices and limit the changes that can be made to that configuration.
There are three impactful initiatives to consider when it comes to enabling developers. 1. Education Understanding cloud architecture and the new way of provisioning infrastructure 2. Self-service capabilities Application onboarding and other aspects of development can be self-service in the cloud, avoiding a dependency on separate teams that provision DevOps tooling and application infrastructure. 3. Compliance automation Self-service needs to be regulated to ensure compliance. This is where pre-approved infrastructure templates and the automatic enforcement of compliance come in.
Education is more broadly addressed in the related article here . Specifically for developers, training needs to start with cloud fluency and steadily work towards more specialist roles.
Typically, the largest gap that needs to be addressed is that developers will be responsible for provisioning their own cloud infrastructure. This requires training in infrastructure as code, cloud architecture best practices, and similar topics.
Some courses will be general and can be found on third-party platforms such as Udemy. Other courses must be created specifically for the organization and its strategy, processes, cloud platform, and pre-approved infrastructure templates.
Education needs to be supported with incentives, such as bonus-linked KPIs, and it should be integrated into a career framework providing a clear path for promotion when defined cloud targets are met.
Self-service capabilities are a significant shift from on-premise practices, where developers might have to go through infrastructure, security and operations teams to deploy applications.
Self-service capabilities start with a self-service portal. This portal facilitates project onboarding and the automatic creation of repos and pipelines. While the workflow to do so can include an approval step, it still drastically reduces the amount of manual work typically needed to achieve this.
As part of onboarding, the use of personal data and other sensitive data sets can be registered and tracked, and the portal can offer dashboards to monitor deployments and operations.
With this self-service portal in place, developers do not interact directly with the deployment pipeline. They onboard their application through the portal, which creates the repo and a pre-defined pipeline for their application. The developers then commit their infrastructure templates and application code to the repo, which automatically passes them to the deployment pipeline. The changes appear in the appropriate environment shortly after if they pass all controls.
Controls and pre-approved infrastructure templates are key elements in compliance automation. This topic is covered in more detail in the platform article . To summarize, controls are the automated enforcement of cloud policies. Controls can sit in the cloud account and the deployment pipeline, rejecting deployments that are not compliant.
Pre-approved infrastructure templates can be used by developers to quickly configure a particular architecture design, reducing the need to reinvent the wheel for every similar application. The templates offer a degree of configuration that cannot go outside of the approved boundaries. In short, developers can modify the templates for their applications but are unable to change them to a state of non-compliance. Templates are also a great way to teach cloud architecture, as the Cloud Centre of Excellence creates them according to all relevant cloud and organizational best practices.
Cloud adoption can be made more scalable by shifting responsibilities from specialized teams to application teams and developers. While left-shifting can bring risks, many can be mitigated through the cloud provider’s scope of responsibility and platform-level controls. The three key initiatives that enable developers in this process are education, self-service capabilities, and compliance automation. Developers need to be trained in infrastructure as code and cloud architecture best practices. A self-service portal and controls reduce manual work and automate compliance enforcement. With these initiatives, cloud adoption can increase productivity and deploy application changes faster and more frequently while still maintaining compliance and security.
Don't miss out on unlocking the full power of the cloud.for a personalized consultation or to learn more.