Now that Government is moving to the cloud, the big debate on its future has begun

James Lane, sales engineer at Puppet by Perforce, the industry standard for infrastructure automation, explains three important infrastructure considerations for government agencies

Posted 22 November 2022 by Matt Stanley

Government is moving to the cloud – with the added functionality, security and accessibility it provides, it’s an inevitability. But how that happens, and what it will eventually look like, is still a matter of debate.

James Lane from Puppet

There are three key elements for organisations to consider when formulating cloud infrastructure strategies for Government departments:

●  DevOps

●  Hybrid environments

●  Infrastructure as code

DevOps to DevSecOps in Government environments

Zero Trust is a strategy created to combat system intrusions through a ‘never trust, always verify’ model. DevOps is a collaborative software development strategy that integrates development, security, and operations practices into a continuously evolving lifecycle. Together, both methodologies complement agencies’ ability to implement secure procedures and protocols from the very beginning of a development.

It’s no longer enough to add security at the end of a waterfall development cycle. In the interest of efficiency, cost and time, automating and shifting security processes to the start of development creates a more secure development cycle right from the start. There’s been a common misnomer that security slows down release cycles but that’s not the case as we found in our State of DevOps report, reference: https://puppet.com/resources/report/2019-state-of-devops-report/

DevOps pipelines are built with continuous integration and continuous delivery (CI/CD) capabilities. They leverage automation to speed up the development and testing of the product. Shifting security checks and fixes earlier in the development cycle helps to make security a foundational part of the collaborative development process. It also enables security gaps to be identified earlier in the cycle and resolved quicker

Government agencies need to adopt automatic security compliance and continuous enforcement which can reinforce Zero Trust methods. This reduces the burnout of vulnerability analysis that can plague security teams. Agencies can maintain automation and

control over today’s common hybrid Government infrastructure by integrating cloud platforms, operating systems, and network resources.

Automating these processes can free up security teams to focus on their agency’s main mission goals and activities. For example, security personnel can instead join CI/CD pipelines to help secure applications and provide additional insights. They can exert influence and improve the security of applications in ways that better align with the Zero Trust methodology they’re implementing.

As you move toward eliminating silos, sharing best practices, working collaboratively with agile development. Adopting DevSecOps can also help reduce:

·   Change failure rate

·   Improve audit prep time, reduce audit numbers failed per year

·   Reduce time spent fixing security and compliance issues.

Hybrid cloud environments

Cloud-based infrastructures offer scalability, remote access, and improved collaboration. Meanwhile, on-premises infrastructure can deliver the control, capabilities, and security that might not be achievable in the cloud.

The beauty of hybrid tools and environments is that they’re agile and can work in unison. However this flexibility needs to be balanced against the requirement is for IT is to create a hybrid environment without compromising Zero Trust security and policy compliance requirements.

IT teams need to consider four key aspects: security, documentation and discovery, monitoring and automation.

Security: When creating a hybrid cloud, IT departments should consider the full range of work, including cyber threats outside traditional network boundaries, with Zero Trust continuous verification whether users are on-premises, offsite at a partner location or remote.

Documentation and discovery: Clear, usable documentation and discovery are critical for a secure, agile hybrid IT environment. Often, security risks are not malicious or intentional, just simple human error – 95% according to the World Economic Forum’s 2022 Global Risk Report. When reviewing the lifecycle of vulnerability management across different clouds and environments, the inventory and discovery of all assets across the infrastructure, with a plan to remediate vulnerabilities, are critical to monitor and protect resources.

Monitoring: Effective monitoring across the hybrid platform requires additional planning and a slightly different approach than in traditional, homogeneous environments. Using APIs is a way to integrate monitoring protocols and keep a unified watch over cloud and on-premises resources, creating improved visibility and monitoring over an entire infrastructure. APIs can help ensure consistent performance and more accurate inventory data.

Automation: Automation not only reduces workloads but manages scale and improves security and response times. With solutions available today, IT departments can develop low-code workflows that automate incident response, event-driven workflow operations, security and continuous delivery of updates.

Infrastructure as code

As the definition of the ‘traditional Government workplace’ continues to morph and change, agencies must rethink everything from security to compliance and basic agency operations. Today’s agency IT environments need infrastructures that can scale securely.

Infrastructure as code is the practice of treating an IT infrastructure as if it were software code – and it’s a great way to approach scalability. It’s a mindset that defines a hybrid environment as a programmable language and treats the process of managing the maintenance and operations of the infrastructure in the same agile way that DevOps teams do.

Using infrastructure as code can help IT teams approach infrastructure using software development practices, such as version control, peer review, automated testing, release tagging, integration, and delivery. This is possible because even though IT infrastructures evolve, the main challenges that agency teams work through remain the same and are similar to those found in the traditional software CI/CD:

●  Identify challenges and issues

●  Develop solutions, then propose adoption into the main code

●  Prove a given change is safe and accurate by deploying it to a simulated production environment for testing

●  Deploy changes to a large part of the infrastructure for validation

●  Check the current state of the changes and remediate issues where necessary

Perform the above as quickly, efficiently, and securely as possible while remaining compliantThe world has changed, and there is no going back. Agencies need to develop and refine their offerings to embrace this new world. Together, these three crucial elements can help pave the way towards modern, efficient and effective agency delivery for Government across all departments.

About Puppet by Perforce

Puppet by Perforce empowers people to innovate through infrastructure automation. For more than a dozen years, Puppet has led the way in IT infrastructure automation to simplify complexity for the masses in order to strengthen customers’ security posture, compliance standards, and business resiliency beyond the data center to the cloud. More than 40,000 organizations — including more than 80 percent of the Global 5000 — have benefited from Puppet’s open source and commercial solutions. In 2022, Puppet was acquired by Perforce Software.