A recent focus on Cyber Security in Australia

Cybersecurity is table stakes for doing anything online with any business. As we have continued to digitise our entire civilisation, we need to routinely pay down the technical debt that gathers over time.

Many organisations have bespoke line-of-business solutions, or custom extensions to common platforms that implement specific business logic that helps run their business. These solutions are often put in as part of a project, and then “transitioned to support”, which means the system being operational, but not updated.

This continues until the original solution is 5 – 10 years old, and then no longer fit for purpose. A massive investment is then implemented as a replacement as well as investment in resources to migrate from the older solution to a newer one.

The effort is large and the risk of removing the people that implemented the solution, to jettison responsibility to an existing support team who don’t have the deep understanding, is huge. It increases over time, and then multiples during the replacement & subsequent migration.

At Modis (soon to be Akkodis), we’ve been delivering cloud-native solutions that align to the Well Architected Principles since 2014. These solutions are maintained by our development team as part of our DevOps approach. This means architectural changes to a solution can be integrated as part of routine maintenance.

Another benefit of this approach is that, for virtual machine-based solutions, the entire application tier gets destroyed and restarted from a known, blessed golden image. Furthermore, the opportunity to target a new golden image, bootstrapped from known-good upstream images and customised for our application, can be done as part of the same release. No longer is replacing RedHat 7.x to RedHat 8.x a big issue; it’s a footnote in a release. 

It’s worth checking in briefly on the (now) six pillars of the Well-Architected principles:

• Operational Excellence
• Security
• Reliability
• Performance
• Cost Optimisation
• Sustainability

There is no prioritisation amongst these as principles. Many customers realise that cost is not always number one; often its security in first place, closely followed by cost. However, there is one pillar I wanted to explain further: Operational Excellence. AWS states this as “running and monitoring systems, and continually improving processes and procedures”.

This is describing (in part) Observability in applications is a key thing. How do you know your application is working, and how do you detect events and conditions that could be leading to service degradation? Having metrics on usage, abuse, and more with alarms, is key. And while you’ll try to get the optimal metrics emitted from your solution when you architect it, by the time it gets to production, it’s likely you will have new important metrics, and some existing ones that are no longer relevant.

What if you got it wrong? That’s where the clause to continually improve process and procedures comes into play, along with the key topics of “automating changes, responding to events, and defining standards to manage daily operations”. Rolling changes to new virtual machines and retiring the old ones once traffic has drained away, means you have the agility to continually update and change your deployment with minimal interruption, risk, and cost.

A key item we’ve seen is changes in network security protocol requirements over time. New Transport Layer Security versions have become available, and previous versions have fallen away. Using Operational Excellence, we wrap up the configuration of load balancer security. We can also deploy (and incrementally update) stricter security headers for our CloudFront (CDN) distributions or move from Origin Access Identity (OID) to Origin Access Control (OAC) when accessing content from S3 Bucket Origins. Key amongst this is to tune web Content Security Policies, to have the modern client web browser join us in the fight against compromised web sites.

Once you’re in a place where your deployed application can be rapidly updated, then any issue – including security – can be addressed easily at minimal cost and risk. If you had a manual deployment process, involving putting a holding page/status message out to your users, then you’re less likely to want to do more than a weekly update.

Operational Excellence lets you make incremental improvements that help address Reliability over time; perhaps you’d like to adopt a third (or fourth) Availability Zone as the Cloud Region expands. Perhaps your configured AutoScale group is configured to launch instances from a Previous Generation instance type; a configuration change to roll this to current generation may be a neat performance efficiency win (thanks to Moore’s Law).

That performance efficiency change for a newer virtual machine instance type may also yield Cost Optimisation Benefits. These changes may drastically reduce the power consumption, which helps with the Sustainability Pillar.

Modis has been delivering Well-Architected Applications for nearly a decade. We’ve learnt a lot, not just in the journey to get to the cloud, but the continuing journey once you’re there. Our engineers have done significant amounts of vendor Certification, to validate their knowledge (and our team also participate in the Subject Matter Program, helping write the vendor certification Items (questions)).

With all this engineering, architecture, and operational knowledge, we’re helping customers borrow these brains to shed light on their operations. This is the premise of a Well-Architected review, which we scope to a single application (across all environments), or to the orchestration of a multi-account environment, taking in things like Organisations, Service Control Policies, identity federation to the Cloud control plane, and more.

These reviews are done within a week, working with your existing engineering team, and sharing the Highest Risk Items that need immediate remediation, and the Residual Risk Items that can be dealt with in a more controlled manner.

For example, if you don’t have hardware MFA enabled on your primary account; that’s a relatively quick fix.

By having one of our experienced engineers look over your architecture, operations, costs, metrics, and alerts with your operations team, we complete the process and use our knowledge and experience to provide appropriate recommendations to address these concerns.

The cloud doesn’t stand still; innovation keeps happening. In the Shared Security Model of the cloud, there’s often times updates need to be triggered by the customer in the Cloud environment to take advantage of improved protections – often at minimal or zero incremental cost.

Having a fresh pair of experienced eyes review, and recommend, can provide you with comfort at best, or a list of opportunities for improvement at worst.

Since our experience in cloud is longer than most, we’re offering this service to any customer worldwide. Just contact your local Modis (Akkodis) office and ask.