While the complexity of the infrastructure that DevOps and engineers need to access can be dizzying, hard to manage, and fluid, the right remote access solution can address their unique needs. Join 451 Research and Banyan Security for an engaging discussion on this topic.
View Transcript
Malik:
Hello everyone. This is Malik. And on behalf of Banyan Security and 451 Research, which is now part of S&P Global Market Intelligence, I would like to welcome you all and say thank you for attending today’s virtual roundtable titled Boosting DevOps Productivity With Zero Trust Access. Just a few quick housekeeping items before we get started, to ask a question, simply type it in the question box on your screen and we will get to as many as we can during the Q&A session. The presentation slides are available for download in the resource section in the console. And finally, the on-demand version of this event will be available after the live event concludes. Leading off today’s discussion will be Fernando Montenegro, who is principal research analyst at 451 Research. Joining Fernando, is Tarun Desikan, who is COO and co-founder at Banyan security. You can learn more about Fernando and Tarun by checking out their bios on your screen. And with that, I’ll turn it over to Fernando to kick off this session.
Fernando Montenegro:
Hello everyone. Fernando Montenegro here. I just want to double check. Can people see the slides on the presentation or it is just me that they’re seeing? Okay.
Tarun Desikan:
It is just you right now, Fernando.
Fernando Montenegro:
Okay. Malik, can we make sure that the audience can see the slides?
Malik:
Yes. Fernando, they can see both the the windows.
Fernando Montenegro:
Okay, perfect. Thank you. So again, hello everyone. So Fernando Montenegro, I’m an analyst at the 451 Research, now part of S&P. It’s a pleasure to be here and be talking to you. The way that we structure this content we’re going to talk about, as it says, Boosting DevOps With Secure Access. And one of the topics that the contribution I want to bring to this is what are we seeing in terms of trends in cloud transformation, in DevOps, and in insecurity for DevOps that I think are relevant for this audience? Now, one of the things that we always want to position is, how are we doing what we’re doing? And I want to talk a little bit about our methodology. What we do, I like to present lots of data and then help you with an audience, organize where that data fits into where you on your journey for that.
Fernando Montenegro:
And the data comes from two major sources. On one hand, we have the hundreds of thousands of hours of briefings that we have with end user organizations, with vendors, with finance professionals and many others, right? And trying to understand the trends on the market. On the other, we have the 451 Voice of the Enterprise survey program. Some of you in the audience may actually be part of it. And for that, thank you. Which is a regular survey program that runs on a cadence, where we ask IT and security practitioners questions related to different areas that they may be interested in. So, one quarter we may ask questions about their budget for next year. Then the next quarter we ask them, “Okay, what kind of projects are you planning to run this year?”
Fernando Montenegro:
After that we’ll ask, “How is your organization structured and how are you doing things?” And then at the tail end, then the last one would be, “How you’ve done an implementation. What’s happening with your vendors? How do you feel about that?” And so on. And then we go to budgets for next year. And what I think is interesting and relevant here is that a lot of the content is not only from our security surveys, but also from our broader cloud transformation and DevOps service. With that in mind, I just want to position the agenda. So what we’ll do is we’ll talk briefly on… I like to do this at a high level. What are we seeing in terms of cloud enterprise adoption trends? Which then affect to a large extent, what we see on DevOps technology trends and then DevOps security.
Fernando Montenegro:
And then we can have a conversation along the way. And Tarun and I will be going back and forth on a couple of topics within each of those sections. Without further ado, let me get started with the high level cloud enterprise trends. Sorry. Now, what we’re seeing here is, again, lots of survey data, lots of slides for us to go through. We ask general IT practitioners, “How are you going to modernize your applications?” Many of us are involved in digital transformation and modernization efforts and so on. So one of the questions we ask is, “How is that modernization taking place?” And the way to interpret this is we’ve asked them questions over the years. And what’s really interesting here is a couple of things. First of all, when we ask people, the proportion of people who say that they are modernizing their application by doing a lift and shift to cloud is actually relatively small, right?
Fernando Montenegro:
What we see happening much more prevalent is two things. One hand, there’s a significant proportion of people who say, “We are modernizing in place. We are rearchitecting often with cloud native technology concepts, but we’re keeping it on-premises, right? And then others are saying that we are refactoring and shifting. We’re taking that application refactoring and shipping it off to cloud. What’s interesting here is that this of course is a high level survey data. Sometimes it’ll vary by organization, within the organization. Some product lines may go one direction, other types of workloads may stay the other. But the key point here is we’re seeing this… It’s not, “Hey, we’re staying on-premises.” It’s not there is a mad journey to the cloud.
Fernando Montenegro:
That being said, there is a journey to the cloud. And what does that journey to the cloud look like? Well, many people have referred to multi-cloud as a thing. Is multi-cloud a thing? Yes, multi-cloud is a thing. And what we’re seeing here is we ask practitioners how many cloud providers they use. And this is the focus of infrastructure as a service, primarily. As you can see in the survey data, the number of respondents will indicate that they have two or more is actually on aggregate approximately 75%. There is one interesting dynamic I like to call out here, which is multi-cloud is usually an emergent property of an organization. It’s not something that within each individual project you are going to choose a multi-cloud approach if your application is going to run simultaneously on provider one and provider two. But it’s much more along the lines of within the organization, one line of business may choose one cloud provider for something, another line of business is going to choose another.
Fernando Montenegro:
This is relevant because security teams are usually more centralized. And by being more centralized, their reality is much more present. And a multi-cloud is much more multi-cloud than the reality of what we see, than the reality of each individual project. So cloud security or multi-cloud as an emergent property of an organization. So what I want to take you from this section is, first of all, these modernization efforts are going all the time and we are seeing this combination of, “Hey, we’re doing this on premises and we’re doing this on cloud.” Very common. We are seeing adoption of cloud native technologies. That’s an important thing. The other thing is people are choosing where to best execute them. We don’t have time to go over too much detail, but there’s different nuances about why they choose on cloud versus why they choose on-premises.
Fernando Montenegro:
And that, as I mentioned earlier, centralized teams, security being one, are heavily affected by the need to support these multiple environments. If you have to maintain whether it’s remote access, whether it’s monitoring, whether it’s configuration. Compliance, et cetera. You end up having to support multiple environments. Tying to the topic of our webinar here, it’s really interesting because if you can simplify access to these environments, which is one of the premises behind Zero Trust. I think it’s a key aspect to consider on some of these topics. And Tarun, you had some content you wanted to talk about this as well. I assume that you see something very similar in your environments. Can you walk us through some of that?
Tarun Desikan:
Yeah, absolutely. Thank you, Fernando. Hi everyone. My name is Tarun Desikan. I’m one of the co-founders and COO at Banyan Security. We are a provider of Zero Trust remote access solutions specifically for data center and multi-cloud environments. So I’m going to walk through a customer scenario that highlights some of the points that Fernando just covered. Many, many, many companies are performing this migration, moving away from traditional environments to modern infrastructure as a service environment. And this customer, it’s a burning customer. It’s a large Fortune 500 technology company with a global workforce. Employees that are distributed around different countries, thousands and thousands of users and devices, and large software engineering teams, large DevOps teams, significant investments in both infrastructure and software development tooling. And what we found was that as they started their migration to a hybrid and multi-cloud future, they were moving thousands and thousands of applications. And they were moving away from a traditional VMware based data center environment to a more hybrid environment that span not just VMware, but also Azure.
Tarun Desikan:
And, one of the key challenges companies face as they migrate into these data center and multi-cloud scenarios is it actually ends up being a productivity challenge. So when you have a global workforce, these hard scenarios where the VPN concentrators were based in the US and you have your workers in say Germany accessing cloud infrastructure that is now saying AWS in the EU. And they would have to trombone all the way across the Atlantic into the concentrator in the US, and then back out. And so these various traditional network back hauling architectures ended up slowing cloud access significantly. And secondly, a lot of the traditional security mechanisms were based on IP white listing. And anyone who’s in the DevOps frame knows that IP white listing is very hard to manage, is very slow to actually operationalize. And that was also hampering productivity. So productivity becomes really key as these migrations go forward and as DevOps teams start using cloud environments.
Tarun Desikan:
The second part of the challenge customers face in these environments is the concept of multi-cloud that Fernando said. It wasn’t just one cloud they were migrating to. They were migrating into multiple clouds. And not only that, developers were just using their credit cards to spin up new accounts, to try stuff. The business was encouraging them to move quickly, so they were spinning up new services all the time. But the challenge with that is now you have many different accounts instantiated differently, with each cloud has slightly different network security concepts. It becomes a real security nightmare. So as you think about Zero Trust, and as we think about simplifying access to multi-cloud environments, it’s kind of really important to recognize, as in the Wizard of Oz, we’re not in Kansas anymore, the world has changed.
Tarun Desikan:
We have to keep in mind automation for DevOps teams. So tools like Terraform, and cloud formation, and Python SDK has become really core requirement to enabling Zero Trust access. You need capabilities in your Zero Trust platform to auto-discovery resources and provide catalog of, “Hey, these are the services that are running in these environments for easy use.” And finally, of course, security policies need to be enforced, and you can’t do that on IP addresses anymore. In these multi-cloud environments, you have to based on user and device trust, essentially. So those are some of the learnings we have encountered in the field working with large customers. And I’m curious, Fernando, if you have seen similar concepts in your interviews as well.
Fernando Montenegro:
Yeah, no. We definitely see the complexity of distributing that access across multiple environments. It becomes an issue because in many of the conversations we have, people are indicating just how long those digital transformation projects may be. Even if you think you’re completely migrating to one, you end up with this hybrid temporary environment for a very, very long time. Right? And in some cases forever. Sometimes even with the cloud infrastructure is still back hauling some internal traffic back and you have to address that as well. So, but yeah, absolutely. We are right there with you in terms of seeing many of those same things. I wanted to move us to a different point. So we talked about the high level architecture.
Fernando Montenegro:
Let’s talk a little bit about DevOps trends themselves, right? Yes, multi-cloud, on-premises, hybrid environments, what have you. What’s happening on DevOps? And this is a very interesting data point because it eliminates some of those changes, right? Here we ask DevOps practitioners, we were not talking specifically about security or IT, we’re talking DevOps practitioners, and we ask them, “Where are you executing your DevOps projects for some definition of DevOps? Where are you executing them now? And where do you expect them to be in two years?” So this data is from 2021. So it’s relatively fresh, right? And you can see here that the majority, I shouldn’t say the majority, but the there’s a high proportion of people who indicate that they were doing a private cloud on-premises. Remember those modernized, on-premises I was talking about, well, here it is. Right?
Fernando Montenegro:
So some people are doing that on premises and they’re modernizing on-premises. Well, they’re deploying DevOps on-premises. And so you can see that 23%, for example, indicate that they’re doing this now, but when we ask them, “Where do you expect to be in two years?” The most significant venues for execution that number drops to 15%, right? When we ask people about on-premises, non-cloud you see dropping from 19 to nine. Comparatively, we see people indicating significant growth in IaaS and Paas, 14% now, up to 22% in the future. Now there’s always an element of people who are a little more optimistic in their deployment, but we like to see trends. There’s a famous quote by statistician that I like George Box. He says that, “All models are wrong, but some are useful.” I use that line all the time. It’s not-
Tarun Desikan:
The act of modeling is useful.
Fernando Montenegro:
What’s that?
Tarun Desikan:
The act of modeling is very useful as well.
Fernando Montenegro:
Yes, Dwight Eisenhower, “The plan may be worthless, but the planning is essential.” Right? But in this case here, we’re seeing this shift towards public, right? Which I think is something for you to keep in mind as you’re going through your own processes. Moving on. Okay. So what technologies are you deploying? And this slide looks a little bit dizzy. I’ll walk you through it very briefly. What we did here is we asked practitioners, specifically, we asked specialists, we didn’t ask just senior IT management. We asked more technical staff who is more involved hands on with these technology. So we’ll have a better sense of where they are in terms of implementation. We ask them about Containers, Kubernetes, serverless technologies, and service measures.
Fernando Montenegro:
And you can see the data. So for example, in 2019, 23% of respondent indicated full adoption of Containers, sorry, with 23% indicating some adoption. That combination grew to nearly 70% in 2021. What I wanted to call out on this chart is that I think that the main visual point of this chart is that specifically when it comes to technology adoption, we definitely see Container adoption, kind of leading Kubernetes, serverless and service mesh. And there’s a lot of nuance we can go into, what are they using serverless for? What are we using containers for? And so on. But the general point I want you to take from this is that Container technology is the one that’s further ahead, if you will, in terms of perception of deployment out in the field. So that’s one point. So when we are talking about our containers, we also ask people, where are they executing those containers?
Fernando Montenegro:
And it’s interesting, the blue data point is a multi-select, but the yellow one is a single select. They had to choose, right? So it’s still interesting to see that 43% of people, for example, indicate that they’re still primarily running those containers in private cloud, right? Now, just to move on to one topic, to wrap up this section with one topic on DevOps technology, if you will, we have an interesting data point, which is, we ask practitioners, Where are they executing their Kubernetes environments, right? And the way to read this is that 71% of respondents indicate that they use Kubernetes on public cloud, 58% of respondents indicate they use a commercial version of distribution. Those would be the likes of OpenShift, or VMware, Kanzu, or Rancher, or different distributions, right?
Fernando Montenegro:
Whereas only 33% indicate that they run straight up vanilla Kubernetes. And which leads us to conclude that at least from the data we are seeing, managing some of this infrastructure, at least from this practitioners, they are looking at it as a toil, right? More than they seem.. And toil is a word that’s often used in the context of DevOps. You want to reduce toil, right? So there. It seems that there is this perception of, “Hey, listen, I’m going to be running this on the public cloud. I’m going to be running this… If I am running this not on the public cloud service, I am going to use a commercial distribution.” The only slight nuance I wanted to add here is when we break it down by larger companies versus smaller companies, buy employee size, smaller companies tend to give a slightly more of an edge for free open source.
Fernando Montenegro:
It’s within the margin of error, right? They also seem to indicate that they are seeing us toil on the 64% on the commercial distribution is interesting as well. Now, just to wrap up the couple of key points on this session, I’ve shown you data. We’ve shown data that DevOps environments will be diverse. We’ve seen data that there is broad adoption of Container technology specifically, but with others coming up right behind it. Kubernetes environments, we saw that there’s different execution venues for those. And those are very popular. But again, one of the things we talk about is we often see customers are not necessarily deploying small number of very large Kubernetes clusters. People seem to be favoring, lots of smaller Kubernetes clusters. It’s almost as if from a security perspective, the trust boundary is the Kubernetes cluster, not so much a name space. Which means that you’re going to have multiple little clusters.
Fernando Montenegro:
And as in line with the topic for the session, how do you do remote access to those multiple different environments becomes an issue, right? Now, as Tarun and I were discussing, there is some interesting data that they have on adopting remote access to DevOps use cases. Tarun you want to take over.
Tarun Desikan:
Yeah. I just want to add one thing in your section, Fernando, which is, the cloud providers are playing a very important part in pushing Kubernetes environments. So specifically Google cloud, Amazon cloud, Azure cloud, they’ve made it really easy to consume Kubernetes. And I think that’s why you’re seeing people spinning up many, many Kubernetes clusters because it’s so easy. You just click a button and you get a Kubernetes cluster as opposed to creating name spaces within a Kubernetes cluster.
Fernando Montenegro:
Yep. Yep. I agree that the challenge we see for people is that sometimes they turn on those Kubernetes clusters and they forgot to turn them off and they’re going to have to deal at the end. But that’s a different conversation.
Tarun Desikan:
Yes. And so just handling on that, we see this trend not just from provisioning Kubernetes clusters, but also securing these cloud native and Kubernetes environments. So in this customer vignette, this is a public real estate company. So it is a technology company. They have fast growing, fast moving DevOps teams that is serving thousands of developers, many, many, many teams. And they’re what you call a cloud first company. So unlike the previous vignette, which was more a traditional company that was kind migrating to the cloud, this company just grew up in the cloud. Specifically, they grew up in Amazon web services. And because they grew up in the cloud, they’re used to moving very, very, very fast. So we are talking about not just developers with a credit card spinning up instance, but developers with a credit card spinning up an instance and seeking it and putting it into production all the way through.
Tarun Desikan:
But one of the things that happens when you move so fast is that sometimes you take on some bad practices as well. So, for example, many times S3 buckets will be placed on the internet. Many times that developer project that went to production, the developer quits, and nobody knows how it’s actually set up. So one of the biggest challenges in these kind of cloud native and Kubernetes environments from a Zero Trust perspective is to create a security baseline. What is out there? Who is accessing those resources? Which of them are high risk? Which of them are placed on the internet? That becomes a genuine challenge in cloud native and Kubernetes setups. The second part of the challenge is by definition, DevOps in cloud native is actually an ecosystem story. So Kubernetes is just one tool. But around Kubernetes, there’s a whole ecosystem of a lot of productivity software that makes Kubernetes so powerful.
Tarun Desikan:
So, for example, you might use Helm Charts to manage your applications. You might use GitHub and GitLab to set up CI/CD processes. You might use a tool like Lens to give a graphical interface into your clusters. So all of these tools in the ecosystem require integrations. And then what happens is the traditional network based approaches, which is, let’s open up IP addresses, let’s white list, let’s pure two networks. They just don’t work. You have too many clusters and two asimilar set ups for that to be really scalable. So what you need instead is more of what we propose, is a Zero Trust approach and tooling today. And it’s not just Banyan, other vendors are also capable of similar tooling. They have native support for these cloud native and Kubernetes environments. So native support for Kubernetes API access, native support for SSH access, and so on.
Tarun Desikan:
And not only that, but native support is coupled with a great developer DevOps user experience so they can access their clusters, just the clusters that they have least privileged access to with a single click. So you can use modern techniques such as API keys and short loop credentials, instead of relying on your traditional VPN, IP white listing systems. And so that’s one way we see customers who are adopting cloud native and Kubernetes also using a Zero Trust security posture.
Fernando Montenegro:
Yeah. And I would add that at least from conversations we have, and not sure if everything is similar, a lot of the times the concerns that people have about securing these environments is that the flaw is that something was left exposed, and that’s not something you readily make available via an IP white list, right? It’s not clearly visible there, right? And so, yes. It’s narrowing how we’re going to access these resources is really interesting. Anyway, so Tarun and I can talk about this for days if need be, right? So I wanted to move us on. So we talked about cloud technologies, we talked about DevOps technologies. I wanted to touch a little bit on security, right? I mean, DevOps security specifically. And the point that I wanted to raise is, first of all, we conduct surveys, with this particular survey was with DevOps practitioners, right?
Fernando Montenegro:
So it was more of, “In general, how are you deploying DevOps in your organization?” And one of the really interesting things here is we gave them options. And as you can see from the slide, these developers, these program managers, when you ask them, “What’s important for you?” Security is coming as the number one topic. Now, those were the backgrounds in the statistics. We may quibble about whether that’s within the margin of error and you grant you that, but it’s undeniable that there is an understanding from those DevOps practitioners, that security is important. That security is a key objective for that DevOps initiative, right? So that’s looking at it from the beginning, right? They want to achieve security as part of their DevOps efforts.
Fernando Montenegro:
Are they getting there? The answer is no or at least not quite. When we ask people, “What are the biggest hurdles for your adoption of cloud native technology?” Now, here we are asking people, “You are going on, you’re implementing your processes, and you’re having issues. What’s the common roadblock?” Right? And you can see security there at 54%. That’s the highest I’ve seen so far. And we do keep longitudinal data on this. And it’s well outside the margin of error, right? So security here is absolutely acknowledged as a major concern. Wait, aren’t aren’t we supposed to be collaborating on this? Isn’t this the point of DevSecOps, and so on, and so forth? Yes it is. But are we doing that right? The answer is, “Not quite.” Right? And the data that we have here, again, we’re asking DevOps practitioners, and is, “Okay. How do the security teams and the DevOps teams collaborate to achieve your DevSecOps objectives?”
Fernando Montenegro:
And approximately 43% of respondents indicate that, “Yes, the security team and the DevOps teams closely collaborate to integrate DevSecOps requirements.” Great. I can argue that 57% say they don’t actively collaborate, and that’s a problem to be solved. You can see the numbers here, but what I found particularly interesting is that when you ask, and the answers go down, you can see here. But then we take the same question and refraction it and we split it by this respondent level who responded to that survey. And a couple of very interesting data points or the things they pop up. One of them is that those who indicate that they are senior managers, right? Those who self identify as senior managers indicate this level of corporation, it’s 49%. Well above the 43, right? What’s going on here? Right? And on the flip side, those who indicate that they are staff or management, when you ask them about DevSecOps, they primarily indicate that it’s a responsibility for the, quote and quote, DevOps team. And we don’t need to get into the discussion of if DevOps is a team versus a practice, let’s not go there.
Fernando Montenegro:
But what we are seeing here is that there is a disconnect between what senior managers think is happening and what the team implementing it thinks is happening. And that’s a potential problem, right? Now, I don’t want to leave us just talking about negative. I think that there are very positive things happening. One of them is this. Now, the way to interpret this chart, and I’ll walk you through it just briefly, is security. We ask practitioners, what percentage of your DevOps workloads include security? Right? And then you can see at the bottom here, less than 10%. So 10, 20, 30, 40, all the way up to a hundred percent. And what you’re seeing here highlighted this curve, this dark blue curve is almost an approximation of a distribution curve almost, right? In that back in 2019, When we asked this question, you can see that a very big bump towards the 10 to 30% range, right?
Fernando Montenegro:
When you ask the same question in 2020, that big bump is closer, is now in the 50 to 70 range. And when we ask this question in early 2021, that same big bump is now a little bit smaller, right? But it’s now shifting towards that 70 to 80%. I’m looking at this from a positive perspective that people acknowledge that they have to deploy more security on their processes, and they’re working to do so, right? Why I think this is important is, at least security practitioners have often had to deal with the perception that, “Oh, no. Developers don’t care about security.” No, they do, right? And here is living proof that they are adding more security controls to the process` that they’re developing. This is a good thing.
Fernando Montenegro:
Now, just so we don’t get too far ahead of ourselves. The other data point that I wanted to share on this section is they do want to own security, but they don’t want to own all of security or all of networking, right? It’s not about just shifting left to developers and not worrying about it yourself as an operations or security team. When we ask them what kind of functions do they think that DevOps practitioners think that the network team should own and manage? 52% of them indicate that the security part is really something that they are expecting the network team to handle. Again, inside the margin of error for a couple of these other areas, but I thought it was interesting that it came as a top choice.
Fernando Montenegro:
So, just to summarize what we saw on this section, right? Security was listed as a number one topic of concern both from a tactical perspective in terms of, “Hey, it’s what’s blocking us.” But also as a strategic one, it’s a top strategic objective for our DevOps initiative. Then we also see that there is evidence of gaps into how security and DevOps teams are talking together. And in our experience that’s a potential problem because you may expect that a level of support is going to be there for something you need then, “Hey, we already have it.” “Oh, no, no, no, we don’t.” Right? That’s always a stressful conversation to be had.
Fernando Montenegro:
And then the developers are okay to own some of the security elements, but not all of them. And then pointing here that they don’t want to be bothered with simplifying, oh, sorry. They don’t want to be bothered with solving the remote access. They don’t want to be bothered with try having to connect to Unwieldy approaches so they can get their work done, right? And again, in the context of this conversation, a Zero Trust discussion is something that I think it’s absolutely worth having. I’m sorry, I’ve pontificated on this long enough, right?
Tarun Desikan:
But maybe before I jump in, what do you see as some of the biggest complaints in terms of securing DevOps? To just answer one of the audience Q&A before I take over.
Fernando Montenegro:
Well, I think that one of the biggest things that we hear in terms of complaints, our quotes, I remember vividly when we still could meet in person, I led a conversation with a round of developers, DevOps practitioners, about that topic, security, right? “What’s wrong? Or how do we get security working better together?” And one developer for a very large organization, they raised their hand, and they said, “I don’t even know who my security people are. Security is an email alias that I send stuff to and stuff just goes in there. I don’t know what happens after.” So I think that they would definitely fall on that 57% that I showed earlier. So I think there’s a lot of opportunity here for teams to work better together. And simplifying quote on quote, the toil, right? I mean, what’s the stuff that can be easily resolved for them to work together? Right? So I think that would be a-
Tarun Desikan:
I feel like.
Fernando Montenegro:
Yeah.
Tarun Desikan:
The most common complaint we hear is that security slows the DevOps people down. Is that, “If you didn’t have us do these five or six things, the product would be live. The business would be making money. We would have many benefits if you just didn’t slow us down.” And that ends up being one of the hardest things for security teams to counter. How can you put security in place without slowing the teams around you down?
Fernando Montenegro:
And I agree. Here’s where I’ll push back a little bit on some of the conversation. So we talked to DevOps and to security, right? One of the push backs we hear is that, “Yes, we want to put security, but it’s too slow.” In some cases it’s too unwieldy. On flip side is, when something bad happens, like if you don’t have some level of accountability back to the developers, not just for the quality of the code that you write, but actually for the security of their environment, then it’s a free for all. And that’s not viable either, right? So there this back and forth we have to. It’s a fantastic topic, right? But we have to bring these teams working together in terms of, “Give me the technology that I need to do my job faster, but at the same time, I understand that I have responsibilities that I have to follow.”
Fernando Montenegro:
And again, we saw on the survey, people want to do that, right? If there’s one message I see on a lot of these surveys that I want to get to our audience is I think that the time when developers didn’t care is long gone, right?
Tarun Desikan:
Right.
Fernando Montenegro:
But that doesn’t mean that you can just dump stuff on them and that’s the end of it.
Tarun Desikan:
Right. And that segues nicely into what I want to talk about, which is the right way to bring Zero Trust into DevOps, is to bake the processes in it. DevOps teams think in terms of automation, they think in terms of infrastructure is code. So the best way to get Zero Trust Security is to make your Zero Trust Security processes automated. Your policy should be automated, your service creation, your deployment, your monitoring. If you expect DevOps teams to manually bring up gateways, file tickets for IP white listing, they’re just going to work around your system. So security needs to buy into the whole concept of automation. Security needs to buy into the fact that policies should be code. Policy should not be implemented as ad hoc projects. I will write a big long document on how to do security. And then every six months or so, when the compliance guy comes around, I come and check and see if you followed it. Well, I can guarantee you the DevOps guy has not followed it.
Tarun Desikan:
The other capability, when you think about Zero Trust Security, especially as it pertains to DevOps workflows is we have to give up on IP white listings. I feel like if I had a personal battle to fight insecurity, it would be against IP white listing. I’ve been a network engineer for 20 years. I have done IP white listing all my career, but if there’s a time to stop, because now we have so many better tools, rotate your API keys, use cryptographic credentials certificates. There are so many better ways to beef security. And fundamentally IP white listing is the antithesis of DevOps.
Tarun Desikan:
The other recommendation we see this in a lot of companies is DevOps teams and even security teams sometimes try to roll their own software. But it’s much better to use a centralized identity system either provided by your cloud provider or your single sign on provider, than to roll your own. And the other part I would say is sometimes we see security teams really enforcing rigid corporate standards and that never flies. Developer experience is probably the number one requirement for any security program in the DevOps. And if your goal is to get your DevOps professionals beefing security into your system, you have to prioritize their productivity. And these are kind of hard taught lessons. Some of them might be obvious, but I I feel strongly that these are the dos.
Fernando Montenegro:
Yeah. And it aligns with let’s make… And I’ll get to kilo in a second, but it aligns well with, “Hey, listen, this is how we get these teams to work better together.” People are not going to just accept, “Hey… ” They’re not going to accept roadblock just as a moral imperative, right?
Tarun Desikan:
Right.
Fernando Montenegro:
That a hundred percent. So with that in mind, let me just go ahead a little bit on what it is that we are seeing moving ahead. And I think that from some of the commentary we’ve had so far, you can had sense where we’re going. One of the things I like to do, I always like to… I think often about martial arts, if you’re looking at my background, I practice martial arts, that’s my martial arts belt in the back there. So apologies for that. We have in the martial arts, we have a saying, “You sweat in the gym so you don’t bleed in battle or in the ring.” So I think that the notion of practicing and improving comes all the time. So I apologize for the karate images, but it’s near and dear to me. I think that we need to have an industry, right? I think we need to have this deep and broad understanding of what the technology we are working with is. Right?
Fernando Montenegro:
And that’s a big challenge for security teams. We have to understand at a high level what’s going on around the world. And whether that’s a business requirement or whether it’s a technical requirement, can I use a new technology to do something? How secure is that technology? Or how do I implement my security objectives on that technology? That’s not an easy job, right? So you want to minimize the drudgery of the stuff that you know how to do, and you can automate, so you can dedicate yourself to understanding these broader topics. At the same time, you have to accept that the teams are going to expect technology that lets them do their job. I think that the Tarun mentioned the large PDF. Absolutely, right? We can’t do that, right? I don’t want 500 vulnerability listed on a PDF report. I want them as tickets on my CI/CD pipeline, right? That I can work from, right? I think that we have to find ways of addressing this inherent complexity of everything.
Fernando Montenegro:
So, again, to minimize these obstacles to collaboration. And in the context of this conversation, we haven’t brought up we’re all living through the pandemic. We are all living through this rethinking of how people connect to different things, right? This is a time where we are rethinking how we give access to things, right? And as I say, on the same there, I think we have to be ready to accept that Zero Trust has a very, very, very interesting role to play in all of this. Now, Tarun, before I pass over to you, anything else you would like to add from a broader learning perspective kind of thing?
Tarun Desikan:
I agree completely. We didn’t talk much about COVID and the pandemic, but it has really driven a lot of new requirements.
Fernando Montenegro:
Yeah.
Tarun Desikan:
Honestly, every company we talk to, even when they’re adopting DevOps has also realized that they need to think about remote access. And oftentimes the requirement for remote access drives requirements for DevOps as well.
Fernando Montenegro:
Yeah.
Tarun Desikan:
Yeah, absolutely. And the one thing I would say is, and you don’t need to wait, oftentimes, when we talk to customers or prospects, they say, “Hey, let the DevOps guys, go run a little bit ahead. It’s a new project for us. Let’s wait for six months.” And that reminds me of one of my favorite things, Fernando, which is, the best time to plant a tree was 10 years ago, the second best time is today.
Fernando Montenegro:
Yeah.
Tarun Desikan:
So, you shouldn’t wait. You don’t need to wait for DevOps to be up and kicking in your environment. You can get started today. You can try it small. And Banyan, we actually have a free product, which is limited by number of users, but pretty much unlimited in terms of capability. It allows you to evaluate and plug your security holes. You can verify that your developers will actually enjoy using the tool. It’s very easy to get started. And best of all, for DevOps teams, it doesn’t cost anything. And so I would really encourage viewers to go try adding Zero Trust to your DevOps environments. It isn’t that hard. And it actually will add a lot of value to your business, not just today, but also going forward.
Fernando Montenegro:
Perfect. Thank you. So with that in mind, I think that we’re now ready to take some questions. I think that as you and I have been talking, I know there have been question popping up on the chat. Either you, or John, or someone else to help us filter some of those.
Malik:
Sure I can do that.
Tarun Desikan:
I see one.
Fernando Montenegro:
Yeah. Yeah. Sorry. Malik, do you want to go?
Malik:
Sure. Yeah. So I just want to mention that, just a quick reminder for the audience, simply type in the question on the box on your screen, if you have any. We already have some. So I’ll begin with the first one. The first question that I see is my organization has invested in various privileged access management tools, including Bastion Host and audit lodges. Can I just implement Zero Trust using those or do I have to purchase new tools?
Tarun Desikan:
Yeah, that’s a great question.
Fernando Montenegro:
I think that’s more for you Tarun, I’m sorry.
Tarun Desikan:
Yeah. So privilege access management, I would say it has been a traditional field. It has been there for many years. There are many large players in this field. And what has happened with the move to DevOps is, PAM, just privileged access management. There’s been a convergence of what Pam provides and what your traditional VPN provides. And this has happened because traditionally your VPN gave you access to your network and your privileged access management tool gave you access to your services within that network. Okay. SSH, Bastion, or an SSH audit logger. When you move to AWS, or Azure, or GCP, these are by definition running in the cloud somewhere else. So you don’t need to have two separate tools to accomplish the same functionality.
Tarun Desikan:
You can just have one tool that gives you both the network access, as well as the SSH logging and the Bastion capability. So you don’t need to buy a new tool, but there is a whole class of tools that are in the market that actually combine both functionalities. And so when you think about your existing time solutions, they can be layered on to a new Zero Trust solution or in some cases they can be entirely replaced.
Malik:
Perfect. The second question I see over here is, “Would deploying a Zero Trust solution be addition to our existing VPN, or does it replace it?”
Tarun Desikan:
Fernando, I can take the second half, but what are your thoughts?
Fernando Montenegro:
So I would say that… I’ll go back to the karate analogies, right? We’re always improving, right? So I would see, it really depends on project and I would never make any specific recommendations without better understanding client environments. What I will say is that in many of the observations that we’ve seen, is that you can potentially start with smaller projects that compliment that VPN in the sense of, “Hey, perhaps this particular application or this particular business unit, or what have you, we’re moving you to this little by little.”
Tarun Desikan:
Yeah.
Fernando Montenegro:
So that incremental aspect really, really resonates with me. I think that doing this inside an existing connection doesn’t make as much sense, but again, I would never make specific recommendations without understanding the environment first.
Tarun Desikan:
Yeah. I agree. The environment matters a lot. Just to give you some specific examples. If you are completely in the cloud, if you are only in AWS and it wasn’t physically connected to your corporate network at all, then yes. You can make do without a VPN. However, if you have a large on premise infrastructure, large data centers connected with SD-WAN and MPLS tunnels, you cannot replace your VPN on day one. So you’re better off picking a small project and enabling Zero Trust just for that environment. So it really depends. And in most large enterprises, you definitely want to do Zero Trust in addition to your existing VPN.
Fernando Montenegro:
Yep.
Malik:
Perfect. Thanks guys. Next question that came in is, “How can a Zero Trust solution save time in the DevOps process?”
Fernando Montenegro:
Well, I’ll take an early stab and Tarun, please chime in. DevOps processes we want to simplify access to environments, right? And the moment that you are not fighting over, what’s the IP white list that I have to allow something. I’ll give you an example, perhaps if you have to have a manual process or abandon some of administrative process to get access to new resources that were spun up because of elasticity, right? I mean, all of a sudden I had five VMs and now I need 500. If your access process doesn’t account for these kinds of things, it’s going to delay access. It’s going to be burdensome to your team on the run time, right?
Fernando Montenegro:
I would argue that one of the important things about DevOps as well, and we didn’t cover too much, the pipeline process, the process itself, is there’s multiple steps in the process before something gets released to production. You have to set up multiple different environments. Perhaps you have to do load testing in one, you’re doing QA testing in another. All of these environments are things where if you have to somehow debate with somebody, “Am I going through a jump server? Am I going to have to get a new VPN access?” All of those are things where there’s opportunity for delay. And if we want to reduce the toil of remote access something like Zero Trust, again, I think it’s worth taking a good look at.
Tarun Desikan:
Yeah. Just to build on that, I think what Fernando is saying is, there’s a lot of friction that security could add to the DevOps process. And the answer is automation. So if you can automate security policy, it’ll automatically reduce the friction. And specifically friction points we see is an onboarding and offboarding. Onboarding and offboarding either new services or onboarding and offboarding new users. And both of those today should be automated because your new services, especially in DevOps environments are spun up with Terraform, and cloud formation, and automation tools. And similarly, your new users are typically in a nice identity provider like Azure AD or Okta. There is no reason to stitch together, special code to make that happen. You should just be able to connect the two APIs together and grant access based on the privileges and the type of service it is. And so I’m a big fan of automation. I hope that came out. And I genuinely believe automation will save time if we can get security into that mindset.
Fernando Montenegro:
A hundred percent. Anything else, Malik? Or John?
Tarun Desikan:
Maybe one question, Fernando, we can cover is a good one, which is the cloud provider offers a lot of security tools. Why can’t I just use those?
Fernando Montenegro:
I smile because it’s a legitimate concern and I’ll point it back to what I talked about very, very early on, perhaps you as a developer within a project, you may have visibility of something specific to your environment. Whereas, a more centralized team that has to solve multiple things needs that multi-cloud support. And in many cases, I give credit to the cloud providers, but they are focused almost by definition on their environment. So in many cases, you want the flexibility of using the same kind of capability to connect across multiple environments. And that’s where cloud providers sometimes the technology that they offer, is somewhat, again, by definition, much more applicable to their own environment than others.
Tarun Desikan:
The other aspect I would say is, when you look at security itself, cloud providers will not just get you into their environment, they will focus on authenticating you with their systems. But when you look at an enterprise, oftentimes user identity is stored in a single sign on solution. Device identity is stored in a device managing solution. Device posture is stored in an EDR solution. There are many cloud solutions that are not actually connected to your infrastructure provider. And it’s very, very rare that an infrastructure provider goes and gets signals from those to give you access when from an enterprise security posture, you want to say, “Fernando, on a valid good posture device can access resources. Fernando on a compromised device should not access resources.”
Tarun Desikan:
So those kind of simple security policies are typically not in the mandate of what cloud providers provide. And this is why companies have traditionally used the VPN because the VPN allows them to enforce these kinds of policies. And so, even though the cloud providers offer a lot of security tools and you should use all the security tools, you typically need a different layer, a more centrally managed layer to coordinate all the different systems to enforce our enterprise security policy.
Fernando Montenegro:
It’s spoken much better than I.
Malik:
Okay. I have another question. So this one is how would the presence of a Zero Trust access solution affect the developers daily UX?
Fernando Montenegro:
I’ll defer the-
Tarun Desikan:
Yeah, that’s a great question. And, just in all honesty, the easiest solution, the easiest security solution is just to be on the network. And when you’re on the network, you really don’t need to know about what you’re accessing and you just get access to everything. Now, unfortunately, if you’re on the network, you also have very little security controls about where you go in the network. And so every Zero Trust access solution needs to provide both security, but without affecting the developer’s daily user experience. So it is a challenge we have. And then what I would suggest is every viewer who has this question should go try the different products. Most products, where most products should have a free option that you can just go try. And so Banyan has the team edition. You can go try some other vendors have. And you have to judge for yourself, whether your developers experience changes.
Tarun Desikan:
I can tell you from our side, we spend a lot of time making sure our developer user experiences is seamless and actually fun. We try to make it actually easy and programmable and provide CLI so people can further enhance and customize their workflows. But everyone has a different requirement, people have different opinions. So I would say people are trying hard, but I don’t think this is a solved problem yet. But we definitely aspire to make Zero Trust solution, transparent and even fun for a developer.
Fernando Montenegro:
Absolutely.
Malik:
Thanks, Tarun. That concludes our roundtable for today. We’ll make sure to address all unanswered questions via an email after the live event concludes. Thank you, Fernando and Tarun. As a reminder, the on-demand version of this event will be available shortly on behalf of Banyan Security and 451 Research. Thank you for attending and have a great day.
Fernando Montenegro:
Thank you all. Everybody have a great day. Chao.
Malik:
Thank you.
Close Transcript
Free for 30 Days
Simple, secure, & free!
Quickly provide your workforce secure access to corporate resources and infrastructure.