Managing complexity and increasing security when going cloud-native

Over the past few years, there has been exponential growth in the adoption of cloud-native methodology for building apps. This trend is here to stay, as IDC predicts that by 2022, 90% of all new enterprise apps will be cloud-native. In its simplest form, cloud-native methodology means that the apps are built and run to take full advantage of cloud computing environments. It allows developers to ship code faster, respond to customer demands efficiently, and accelerate time to market.

Cloud-native methodology is not restricted to just enterprises. In fact, many startups and small and medium-sized businesses (SMBs) these days are born in the cloud and utilize the cloud-native methodology from the get-go. Unlike enterprises, they do not have to worry about legacy apps, lift and shift workloads, or refactoring apps for the cloud. This gives them a competitive edge and allows them to turn ideas into reality a lot faster.

No discussion about cloud-native apps is complete without talking about microservices, containers, and of course Kubernetes. Kubernetes was first released in 2014, and since then it has quickly become the de-facto standard for container orchestration.

Even though you can install and manage Kubernetes on the infrastructure of your choice, developers typically gravitate towards managed Kubernetes offerings as they reduce a lot of operational overhead. There are numerous managed Kubernetes offerings on the market, and they all tout similar features and benefits, making it difficult to decide which cloud provider and managed Kubernetes offering to use to build your cloud-native apps. However, choosing wisely saves a lot of time and effort down the line. This is especially important for startups and SMBs, as, unlike enterprises, they do not have unlimited resources, and would rather avoid the hassles of migrating apps from one cloud platform to another.

One important selection criteria is simplicity. Simplicity improves efficiency, reduces the learning curve for new developers on the team, and allows you to focus more on building cloud-native apps and less on managing the underlying infrastructure. Abstracting away complexities in configuration and operations often paves the way for better security practices. The surface area for vulnerabilities, misconfiguration and other flaws shrink as complexity is removed.

Many prominent cloud providers cater to enterprises and have built comprehensive cloud platforms that suit the IT needs of big businesses with equally large budgets. They typically provide many features, each with its own settings, and you are often left wondering if you have set up things correctly. All this leads to complexity.  As startups and SMBs, you should consider picking a cloud provider that is built on simplicity. This means all its products and features for building cloud-native apps (like managed Kubernetes offerings) are intuitive and secure. It is important to have a managed Kubernetes offering without too many bells and whistles so that you do not lose compatibility with the broader Kubernetes tools ecosystem.

You should also look at simplicity at scale. Most cloud providers make it easy to create a basic Kubernetes cluster, but things become very complex when you scale your apps. So as part of your evaluation, you should look into how things would be when your cloud-native app has numerous services, hundreds of thousands of containers, and Kubernetes clusters. Scaling security along with your app requires a similar thought process. Focus on compatibility, extensibility, and eliminating noise at the outset. Finding a cloud that provides thousands of security features and settings may be less important as you scale than finding the right third-party security components that keep things simple.

Pricing is another area to consider. Many providers offer a detailed price list that seems straightforward, but once you scale your apps, that is when the pricing becomes very complicated. Pricing also varies by data center and it is very common to get unexpected bills from cloud providers. It is no surprise that the running joke in the industry is that you need a PhD to decode cloud computing bills. It is also not a surprise that security features often come at a premium, and it is not always easy to determine the value you are getting back from those features. Hence, you should choose a cloud provider that keeps pricing simple, predictable, and keeps it low even when you scale your apps.

Another aspect that gets overlooked when building cloud-native apps is security. There are the basics for choosing a cloud provider, like security certifications. A SOC 2 Type II, and Cloud Security Alliance (CSA) STAR certifications provide the greatest level of insight into a cloud provider's security practices.

Once you are up and running, there are a few core principles to keep in mind. Set up additional users to avoid shared tokens, it is especially important to avoid sharing authentication for a Kubernetes superuser. Utilize built-in Role-Based Access Controls (RBAC) to manage user authorization and permissions, and you should do this not only for human users but for service accounts as well. Integrate security into your test and deploy suite to simplify how you surface flaws before they become vulnerabilities.

Building cloud-native apps is a lot of work. Minimizing complexity is a critical lever you can pull to reduce your operational overhead. Develop your apps on a cloud platform that is built on simplicity and accelerates your time to market.

By Tyler Healy, Vice President and Head of Security at DigitalOcean