lastweekinaws - sector · data-driven business intelligence and analytics delivery of new digital...
TRANSCRIPT
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
Cloud Adoption:Trends and Recommendations
SecTor 2019
Fernando Montenegro
Principal Analyst
2
3
https://www.customink.com/fundraising/lastweekinaws
451RESEARCH.COM
©2018 451 Research. All Rights Reserved. 4
DevOps DevSecOps
Does it matter?
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Principal Analyst, Information Security team
Originally from , now based in Toronto
Topic areas: cloud security, endpoint, deception, anti-fraud.
Prior experience: 25+ years across pre-sales, delivery and consulting roles in enterprise security.
Interests: security economics, security at scale
@fsmontenegro
Introduction
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Agenda
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Methodology
“451 Voice of the Enterprise”
Quarterly insights:
► Budgets & Insights
► Workloads & Projects
► Organizational Dynamics
► Vendor Evaluations
Briefings, Inquiries, Research
100s of hours
► Enterprise IT
► Service Providers
► Security vendors
► Finance professionals
Qualitative research
Independent
8
9
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
Strategy Cycle (Sun Tzu and Simon Wardley)
11
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
Clima[c]tic Pattern: Evolution
Monolithic Microservices
Waterfall Agile
APIs ‘Functions as a Service’
IT DevOps
Datacenter Cloud
Self-contained Service mesh
Enterprise IoT, OT, consumer
INFOSEC?
Networks 5G
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Q17. Which of the following represent the most important workload-related IT challenges your organization faces at the moment?
1
3
60%
37%
31%
25%
23%
23%
23%
21%
3%
Data protection and security
Governance and compliance
Migrating workloads to new IT environments
Incorporating new workloads into the IT environment
Ongoing capacity planning
Cost tracking/management
Lack of workload-specific staff/expertise
Maintaining visibility across different IT environments
Other
% of respondents (n=921)Source: 451 Research, Voice of the Enterprise: Digital Pulse, Workloads & Key Projects 2019
All eyes on security!
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
Security: Seen in context
Source: 451 Research’s Voice of the Enterprise: Digital Pulse, Workloads and Key Projects 2018
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
Continuation of an upward spending trend
By what percentage do you expect your organization’s total information security budget to change in the coming year compared to this year?
Source: 451 Research’s Voice of the Enterprise: Information Security, Budgets & Outlook, published Q1 2019
Mean: 22, Median: 20
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Q20. Which of the following best describe the primary purpose of the current/planned digital transformation initiatives?
1
7
44%
43%
42%
36%
30%
29%
28%
11%
3%
Customer experience
Data-driven business intelligence and analytics
Delivery of new digital products and services
Process automation
Employee productivity
Developing new digital business/revenue streams
Innovation/enhancement of existing products (e.g., remote
diagnostics/updates)
Supply chain optimization
Other
% of respondents (n=593)Source: 451 Research, Voice of the Enterprise: Digital Pulse, Workloads & Key Projects 2019
Why are organizations doing this?Dig i ta l t rans fo rmat ion s t ra tegy i s : E va lua t ion o r e xecut ion
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Q15. Which of the following benefits, if any, has your organization experienced as a result of your use of cloud services?
1
8
45%
42%
36%
25%
25%
15%
12%
9%
8%
6%
4%
18%
Faster time to market for new products
Improved employee productivity
Reduced operating expenses
Improved customer satisfaction
Extended geographic reach
Fewer security/data leakage incidents
Increased revenue
Improved availability of cash
Increased gross margins
Reduced customer churn
Reduction in debt/borrowing
We haven't experienced any benefits% of respondents (n=250)
Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Are they seeing results? Oh yes…
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Cloud transformations are ongoing
46%39%
21%16%
17%
18%
21%
19%
11%
12%
17%
11%
9%
9%
11%
15%
8%
9%
17%
19%
9%13% 13%
21%
2018 actual
(n=1026)
2019 actual
(n=885)
2020 proj
(n=978)
2021 proj
(n=849)
SaaS
IaaS/PaaS
Hosted Private Cloud
3rd-Party Colocation
On-Premises Private Cloud
On-Premises Traditional IT
Q: Thinking about all of your organization’s workloads/applications, where are the majority of these currently deployed?
Q: Thinking about all of your organization’s workloads/applications, where will the majority of these be deployed two years f rom now?
Source: 451 Research’s Voice of the Enterprise: Digital Pulse, Workloads & Key Projects 2018 -19
Q4. What percent of your organization's overall IT budget (including infrastructure, software, and vendor fees) is spent on IaaS/PaaS/public cloud
resources?
20
61%
29%
9%
1%
1-25%
26-50%
51-75%
76-100%
% of respondents (n=80)
Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Approximate percentage of overall IT budget spent on
IaaS/PaaS/public cloudAll respondents who use IaaS/PaaS/public cloud
Mean = 23%
Median = 20%
Q5. How do you expect your organization's spending on public cloud to change during the next 12 months?
21
22%
57%
18%
2%
1%
Significant increase
Slight increase
Remain the same
Slight decrease
Significant decrease
% of respondents (n=90)
Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Expected change in public cloud spending in next
12 monthsAll respondents who use IaaS/PaaS/public cloud
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
“Well, private is cheaper!”…not quite
22
Q17. Within the last 12 months, has your organization migrated any applications or data that were primarily part of a public cloud environment to a
private cloud or non-cloud environment?
23
5%
2%
2%
92%
Yes, to a hosted private cloud environment
Yes, to an on-premises private cloud environment
Yes, to a non-cloud environment
No
% of respondents (n=187)Source: 451 Research, Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2019
“People are migrating back!”…. Not quite…
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
Q2. In the last 12 months, how often did you deploy most software applications to production?
25
5%
19%
25%
23%
19%
6%
3%
Hourly
Daily
Weekly
Monthly
Quarterly
Semi-Annually
Annually
% of Respondents (n=427)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Frequency of Software Applications to ProductionOrganization has deployed software applications to production in the last 12 months
Q8. For which types of applications does your organization take a DevOps approach?
26
59%
56%
49%
45%
12%
1%
Data processing, analytics, business intelligence
IT/infrastructure optimization functions
Customer-facing functions that enhance the experience/value of
doing business with your organization
Specialized business process functions
Other internal/line-of-business functions
Other
Don't know
% of Respondents (n=499)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Types of Applications Using a DevOps ApproachAll respondents
Q10b. What are/were the primary challenges of spreading DevOps to more of your applications, releases and teams?
27
29%
24%
24%
23%
22%
21%
20%
19%
18%
6%
1%
Cost
Concerns about governance, security and compliance risks
Technical complexity (e.g. tool sprawl)
Existing process is sufficient for some applications
Performance
Refactoring/rewriting legacy applications
Inconsistent processes and workflows
Scaling is difficult
Culture conflict among internal teams
No challenges to spreading DevOps
Other
Don't know
% of Respondents (n=496)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Barriers to Spreading DevOps More WidelyAll respondents
Q12. If Which best describes your DevOps process?
28
43%
47%
10%
All sanctioned and centrally managed
All sanctioned but distributed management (e.g., within different
business units)
Some sanctioned and centrally managed, but some unsanctioned
and/or distributed
% of Respondents (n=489)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Structure of DevOps Process – Distributed is Way to Go
Q15. What cultural challenges, if any, has your organization's DevOps team(s) confronted?
29
33%
31%
30%
28%
27%
25%
23%
22%
6%
2%
Overcoming resistance to change.
Aligning differing priorities for stakeholders and teams
Promoting communication between teams not accustomed to working together
Sharing responsibility for problems.
Demonstrating equity of benefits/costs.
down support (management, leadership, etc.)
up support (developers, sysadmins, etc.)
Breaking down silos for collaboration.
None of the above
Don't know
% of Respondents (n=500)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Cultural Challenges Facing DevOpsAll respondents
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.3
0
“The most innovative companies and highest-
performing organizations are always striving
to be better…”
From: Forsgren&Shortridge, BH USA 2019
Q16. Which environment(s) does your organization use for your DevOps implementation?
31
49%
38%
32%
26%
21%
19%
18%
On-premises private cloud
Hosted private cloud
On-premises, non-cloud infrastructure
Infrastructure as a service (IaaS)/public cloud
Software as a service (SaaS) and hosted applications
Hosted, non-cloud infrastructure
Platform as a service (PaaS)
Other
Don't know
% of Respondents (n=500)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Environments of DevOps ImplementationAll respondents
Q32. Which cloud-native technologies and methodologies are important to your organization?
32
46%
41%
28%
26%
24%
5%
6%
Microservices
Containers
Serverless
Service mesh
Kubernetes
None of the above
Don't know
% of Respondents (n=494)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Important Cloud-Native Technologies and MethodologiesCloud native trends have some importance to organization's DevOps implementation
Q28. How important is open source software to your organization's DevOps implementation?
33
46%
44%
8%
2%
Very important
Somewhat important
Not very important
Not at all important
% of Respondents (n=493)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Importance of Open Source Software for DevOpsAll respondents
Q35. What percentage of your overall application portfolio is developed using cloud-native technology and methodology?
34
2%
2%
7%
11%
15%
14%
11%
11%
12%
7%
3%
4%
None (0%)
1-9%
10-19%
20-29%
30-39%
40-49%
50-59%
60-69%
70-79%
80-89%
90-99%
100%
% of Respondents (n=484)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Percentage of Applications Developed Using Cloud-Native
Technology or MethodologyAll respondents
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Q23. Which of the following skills categories are most important for managing your organization's cloud computing environment ?
3
6
66%
61%
49%
47%
45%
45%
41%
39%
26%
21%
20%
14%
13%
2%
Security expertise
Cloud platform expertise
Compliance/governance
DevOps
Cloud orchestration and management
Cloud architect
Cloud server/storage administration
Cloud provider management
Cloud-native programming
Software-defined networking
Database administration
Machine or deep learning
Open source software development
Other
% of respondents (n=465)Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Sense of importance of security
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Q24. And which of the following skills categories are most acutely lacking when it comes to managing your organization's clou d computing environment?
3
7
36%
34%
31%
27%
24%
22%
22%
20%
19%
16%
14%
11%
8%
4%
Security expertise
Cloud architect
Cloud orchestration and management
Cloud platform expertise
DevOps
Compliance/governance
Cloud-native programming
Machine or deep learning
Cloud provider management
Cloud server/storage administration
Software-defined networking
Open source software development
Database administration
Other
% of respondents (n=450)Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Yet organizations struggle to be prepared
Q19. Beyond developers and IT operations, who are the primary stakeholders in your DevOps implementation?
38
44%
38%
33%
30%
25%
23%
21%
12%
Security
Central IT admin (network admins, storage admins)
Data science/data analytics
DBAs (database administrators)
Management and leadership
Line of business (LOB) managers
Compliance
Finance
Don't know
% of Respondents (n=500)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Stakeholders in DevOps ImplementationAll respondents
Q22. What is the most critical security element to your DevOps workflows?
39
11%
15%
14%
14%
30%
15%
1%
Static analysis
Dynamic analysis
Interactive analysis
Software composition analysis
Vulnerability assessment
Software supply chain validation
Other
% of Respondents (n=474)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Security Elements Critical to DevOps WorkflowsAll respondents
Q12. Which of the following groups are involved in or influence public cloud spending decisions at your organization?
40
80%63%
52%46%
37%36%36%
32%30%
25%25%
23%15%15%
12%12%
11%2%
IT management group (e.g., CIO)
IT infrastructure managers/administrators group
Information security management group (e.g., CISO/CSO)
Executive management group (e.g., CEO, board)
Developer group
Finance management group (e.g., CFO)
Applications group
Operations management group (e.g., COO)
Research & development (R&D) group
Data science/data analytics group
Digital strategy group
Legal/compliance management group (e.g., CCO)
Marketing management group (e.g., CMO)
Customer service and support (e.g., CSS) group
Sales management group
Third-party service providers/systems integrators/value added resellers
Human resources management group (e.g., CHRM)
Other
% of respondents (n=326)Source: 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Organizational Dynamics 2019
Groups involved in public cloud spending decisionsAll respondents who use IaaS/PaaS/public cloud
Q23. What percentage of your DevOps workflow implementations include security elements?
41
1%
2%
7%
13%
14%
11%
15%
9%
8%
5%
6%
10%
None (0%)
1-9%
10-19%
20-29%
30-39%
40-49%
50-59%
60-69%
70-79%
80-89%
90-99%
100%
% of Respondents (n=478)Source: 451 Research, Voice of the Enterprise: Q1 2019 VotE DevOps survey
Percentage of DevOps Implementations With Security
ElementsAll respondents
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
• Introduction and Methodology
• Broader Cybersecurity Trends
• Cloud Adoption Trends
• DevOps
• Cloud Security Trends
• Recommendations
451RESEARCH.COM
©2018 451 Research. All Rights Reserved.
Strategy -> Doctrine
Security for Cloud & DevOps
44
Support cloud teams, not just ‘no’
Don’t duplicate security
Work within their processes
Iterate & improve
Avoid “always did this way”
Work with project teams
Optimize for change
Use right tooling
Security with every change
Use platform when you can
“Defects” and “incidents”
Support for improvement
Align tasks to motivation
Enable self-sufficiency
451RESEARCH.COM
©2018 451 Research. All Rights Reserved. 45
Next steps -> Leadership & Act
• Must evaluate steps on your own
• Individual, departmental, organizational
• Expect – indeed plan for – failure and iteration
451RESEARCH.COM
©2019 451 Research. All Rights Reserved. 46
In closing
• Cloud adoption uneven, nuanced but unwavering
• DevOps adoption growing, uneven, nuanced
• Security is top of mind in both trends
• Path forward for security is alignment, not conflict
• Parting (provocative?) thought:• THIS is how we close “cybersecurity skills shortage”
451RESEARCH.COM
©2019 451 Research. All Rights Reserved.
451research.com
US +1 212.505.3030 EUROPE +44 (0) 203.929.5700
Thank you
@451Research
@fsmontenegro
New York
London
Boston
Washington, D.C.
San Francisco
Additional Resources• Shortridge & Forsgren BlackHat
USA 2019
• Accelerate – Forsgren, Humble and Kim
• Cloudsecurityforum.slack.com
• Veracode State of Software Security Report Vol.9
48