Modis combines DevOps Practices with the ASD Essential 8 developing…. Security Engineering on the Public Cloud

By James Bromberger Posted 31 October 2022

Modis (soon to be Akkodis) has been an AWS Partner since 2013, and a Microsoft Azure Partner since 2017. Over this time, we have migrated workloads to the cloud, and been operationally responsible for supporting and continually uplifting these services, across enterprise and public sector organisations.

Digital solutions have never been able to “run” themselves. For every online service with customers there is a team of people keeping the digital machinery working: patching, updating, reacting to service interruptions and events, backing up, and maintaining service levels.

Most solutions fall into these categories:

  • Software as a Service – typically subscription based, minimal customisation, with possibly some configuration, and the customer onus on providing Single-Sign-On to authenticate and authorise your user base. For example: In this scenario, the technical team you need to “run” this is minimal – nearly all tasks fall to the SaaS provider to own, except authentication – you can add more of your staff to this solution.
  • Commercial Off-The-Shelf Software (COTS) – typically outright purchase of a software solution that you would install on infrastructure, and then own the operational activities to maintain, update and secure the solution, as well as providing the level of access you require for your user base to access the application. For example: SAP ERP, SAS Analytics, ESRI ArcGIS, etc. In this case, only the software updates fall on the provider, and it’s your responsibility to get those updates installed into your environment, as well as configure these servers, the storage, perform backups and monitoring, etc.
  • Open-Source Solutions (OSS) – similar in operational nature to COTS, but typically with zero financial cost, zero liability, community lead support (typically no SLAs), and with the ability you could contribute to the code base if you wish – but read the license.
  • Bespoke software: the whole problem is yours to implement how you see fit. For example: solutions written in Java, .Net, Python, etc.

We’ve advocated to customers to consume SaaS if it meets their requirements on security, data jurisdiction, functionality, and cost. SaaS solutions typically exist only for a slice of the most common requirements that organisations have.

However, there are only a small number of line-of-business solutions that have digital SaaS offerings. This is changing over time, but most SaaS providers look to solve problems for which there is the largest customer base first.

For example: if your business is around providing environmental monitoring of bird species, then you’re probably not going to find any SaaS offerings that you can simply consume; you’re perhaps also unlikely to find any OSS or COTS products that you can adopt or purchase a licence for; and thus you probably need to implement a bespoke digital solution – either in existing on premises environments, or cloud-bases Infrastructure- and Platform-as-a-service offerings.

The further down the stack from SaaS to IaaS, the more engineering effort is required to secure these solutions. This is where most organisations fail: they optimise their digital system’s “support” for cost, with a small team responsible for many solutions. This leads to a least-effort approach, rather than a most-competent approach – for systems that are often the digital lifeblood of the organisation.

Modis combines DevOps engineering principles to facilitate rapid incremental deployments to environments, and a Security Engineering and Site Reliability Engineering (SRE) focus.

DevOps gives us a level of ringfencing on the people involved: they have a smaller, fixed number of solutions that are their focus, and they are tasked with deeper maintenance across the solution stack. They must find requirements in their solutions that they are able to modify, or that they need to collaborate with external providers (e.g., COTS Vendors, OSS Projects) to ensure that future versions of products and projects will meet requirements to simplify or optimise operational activities. Using DevOps approaches also gives us deployment automation, to minimise the effort of reliably deploying updates into an environment.

But beyond that is taking an SRE and Security Engineering approach to WHAT to change and how to make these items more reliable. By designing and implementing for failure handling (and expanding this handling over time iteratively), we can control low level failure automatically, to maintain the operation for the solution.

As an example: when rebooting a traditional server (e.g.: virtual machine or bare metal) all required process should also restart, automatically. We’ve seen others who would remote desktop or SSH to a host to manually restart server processes, leading to extended downtime and increased maintenance (staff) cost. If a database server reboots (including a fail-over scenario), then application servers should handle this scenario, and automatically try to reconnect (with some form of incremental back-off).

Key elements to maintain are encryption in-flight standards, and authentication and authorisation. By supporting only the latest (one or two) TLS protocols and only the strongest ciphers, reviewing this over time, we reduce our risk; by deprecating legacy quickly, these solutions effectively drop support for ‘bots (scripts) that are not as well maintained. And by ensuring federation of identity with strongly signed certificates, we can not only provide Single sign on, but loosely coupled solutions, increasing the reliability of both workload application, and separate authentication solution.

Similarly, given enough time to do so on the engineers involved, we deal with point release updates to the various components of a workload solution, across Operation Systems, software execution runtimes (Java and .Net updates), and in the case of Bespoke software, updating any 3rd party libraries in a proactive fashion.

In addition, Modis participates in the Australian Signals Directorate’s (ASD) Managed Services Provider Partner Program, subscribing to the Essential Eight recommendations as much as possible, and incorporating the regular security briefings and alerts from ASD that go to all Modis delivery engineers to ensure they incorporate the latest operational recommendations.

Only 5 of the entities we perform a capability assessment at every year have consistently demonstrated good practices across all 6 control categories.

Auditor General of a state of Australia, referencing amongst others, a Modis customer, in their annual digital systems audit reportTweet this

Several of our public sector customers in Australia have consistently strong cybersecurity posture. Modis has been the primary managed services provider to these customers, delivering DevOps (and DevSecOps) with the above described full-stack, full-maintenance approaches.

By being proactive and not reactive, we have minimised the risk and exposure of our customers environments, rather than minimising cost and effort; any incremental cost was optimised with scripting and automation.

In taking these approaches with our government customers, we have also helped raise the security capability around entire industry verticals.

About Modis (soon to be Akkodis)

Modis (soon to be Akkodis) is a global leader in the engineering and R&D market that is leveraging the power of connected data to accelerate innovation and digital transformation.

With a shared passion for technology and talent, 50,000 engineers and digital experts deliver deep cross-sector expertise in 30 countries across North America, EMEA and APAC. Modis offers broad industry experience, and strong know-how in key technology sectors such as mobility, software & technology services, robotics, testing, simulations, data security, AI & data analytics. The combined IT and engineering expertise brings a unique end-to-end solution offering, with four service lines – Consulting, Solutions, Talent, and Academy – to support clients in rethinking their product development and business processes, improve productivity, minimize time to market and shape a smarter and more sustainable tomorrow.

Modis is part of The Adecco Group, a Fortune Global 500 company.