If you see me speaking about cloud it’s pretty much guaranteed I’ll eventually say

“Cloud security starts with architecture and ends with automation.”

I’m nothing if not repetitive. This isn’t a quip, it’s based on working heavily in cloud for nearly a decade with organizations of all size. The one consistency I see over and over is that once organizations hit a certain scale they start automating their operations. And every year that line is earlier and earlier in their cloud journey.

I know it because first I lived it, then I watched every single organization I worked with, talked with, or generally glanced at, go down the same path.

We all start by manually managing things in the console.

No surprise, since that’s where we sign up and start using the cloud. It’s the best place to learn, and most of the consoles have a wizards, instructions, and other tips to help us along as we get started.  But this doesn’t scale for long due to the increasing complexity as we build out both more complex environments, or multiple copies of simple environments. Clicking through a web based user interface for repetitive tasks is not overly efficient, and becomes more and more time-consuming and frustrating. This isn’t just due to bad user interfaces from the cloud providers (and let’s be honest, some of them are pretty terrible), if you think about it we are trying to manage effectively every aspect of a data center from a single web interface. Not. Going. To. Happen.

Thus the next natural step…

Is to move into using the command line interfaces, but these face equal complexity. Keeping a data center running involves a ton of moving parts for initial provisioning alone, never mind ongoing operations. While it is easy to remember the commands you use constantly, no one can really keep everything at this scale in their heads. And it still comes down to typing the same commands over and over for the same tasks.

And all this assumes you are just one person managing one account, yet in even a small startup you need to manage repetitive tasks across multiple accounts.

At the same time…

Development teams are already working directly with the APIs to integrate the different pieces of the cloud into applications. It probably starts as simple as managing some S3 buckets, but rapidly will expand into managing everything from global scale databases to machine learning engines. This is how you integrate PaaS into your applications and derive some of the most essential value from cloud.

Dev teams also quickly use tools like Terraform and CloudFormation to define their infrastructure as code. That way they can build their dev/test/prod environments and keep everything consistent.

Before long (okay, sometimes it takes a couple years) security and operations then start leveraging the automation themselves, typically in three main areas.

1. Use of Infrastructure as Code (IaC) to build out new environments and integrate with deployment pipelines. IaC allows us to build consistent, repeatable environments and provision our baseline security and ops requirements. Developers also use it to define their environments for dev/test/prod. Everyone wins and every single company I’ve worked with ends up using it very quickly.
2. Automation for assessment and monitoring. The core problem is maintaining visibility over disparate cloud resources, even when they are all in the same account. Consoles can show a lot, but automation allows you to show what matters to you. This is actually a HUGE advantage over traditional infrastructure where we spend ridiculous amounts of cash just to do things like track servers in the data center. Something which is merely an API call away in cloud.
3. Automation for operations. Once you start seeing things out of alignment you want to start fixing them. Plus there are a wide range of workflows that can naturally be automated. While this level of automation is cost prohibitive in most traditional infrastructure, even if it’s possible, it’s just a natural extension of working in cloud.

One of the key advantages of cloud is segregation…

Isolating out environments with just the resources they need so that those developers can move quickly without stepping on anyone else. But quickly this leads to needing repeatable processes and management, and with the APIs just sitting there it’s only natural to automate.

A child will crawl, then walk, then run even if they grow up in an isolation chamber without external stimuli (we promise we haven’t tried this… really). It’s a natural progression. It’s the same for cloud automation… it is simply the inherent requirement to operate anything in the cloud at scale, and everyone gets there eventually. The trick is to get there effectively.