Cloud Platform-as-a-service or PaaS is primarily designed for software vendors (ISVs). Leveraging PaaS allows ISVs to develop, run, manage and scale their software and services without worrying about infrastructure management. Developers can build on top of cloud PaaS to write their code and use it as a code hosting platform for version control and collaboration. It lets developers work together on projects from anywhere, which is increasingly important considering the ongoing pandemic.
A Paradigm shifts
Developing directly in the cloud allows developers to focus more on the creative aspects of app development. With cloud DevOps, ISVs only need to manage applications and data. Traditionally, PaaS infrastructure provided operating systems, runtime, middleware, virtualization, servers, storage, networking, and disaster recovery.
Recently, we have been witnessing tremendous changes and additions to cloud PaaS services. New cloud product suites are added continuously. That includes artificial intelligence, machine learning, analytics, and the internet of things (IoT), allowing ISVs to transform their applications and unlock the value of data through analytics and AI/ML. ISVs are seeking to take advantage of the technology ecosystems that these services enable. Furthermore, these new product suites enable ISVs to save on cost, shorten their time to market, and deliver more comprehensive software solutions.
DevOps and developer tools are available for every phase of the application life cycle. Developers can implement DevOps practices throughout app planning, development, delivery, and operations. Azure offers the following DevOps tools – GitHub, CI/CD Pipelines, Azure Boards, Azure Monitor, and AKS (Azure Kubernetes Service). Applying the right combination of DevOps technologies, tools, and processes enables continual software delivery and better outcomes.
Security is key
With sophisticated attacks, it is imperative for ISVs to have a strong understanding of how to secure and protect their cloud deployments. Their IT teams worry about their data security, therefore must properly manage these deployments, or rely on cloud service providers to do that for them. Investing in DevOps adds another dimension to that. Kubernetes and containers are hugely valuable for cloud deployments, but there is still a lot that needs to be done to ensure they are secure. To protect Azure Kubernetes Service (AKS) deployments, one must consider the following –
- Using Azure Container Networking Interface (CNI) to create a virtual network (VNet) subnet for each AKS cluster.
- Configuring group policy objects (GPOs) to implement center of information security (CIS) hardening.
- Provisioning Azure Defender and Sentinel to enable host and container scanning, intrusion prevention, and logging and monitoring
- Ensuring strong authentication and access control methods are in place
Is compliance the last barrier to cloud adoption?
PaaS deployments provide a new set of compliance challenges. The notion of having a SaaS solution implemented on top of a cluster of App and DB servers, where data is contained and access to the deployment is managed through a single point protected by a single Gateway is no longer applicable. The PaaS compliance scope has since expanded exponentially. Leveraging PaaS tools and services that live outside the boundary of the deployment creates multiple access points. Protecting sensitive data in transit between the deployment and these PaaS services is becoming a complicated and daunting task. Access control, logging, and monitoring policies and practices must be updated and implemented at all of these points.
Customers care about compliance. With the introduction of more prescriptive compliance standards and frameworks like FedRAMP, DoD IL-5, StateRAMP, and HITRUST, CISOs have learned that being compliant equals being secure. In many cases, customers mandate the implementation of these standards and demand their ISVs to either certify themselves or comply with these standards by running in a cloud-certified environment.
Can ISVs certify themselves, pass a security audit, and get an Authorization to Operate (ATO)? Of course, they can. But they will need to perform the following in order to do so:
- Manage Access Control and Authentication
- Implement and monitor Azure Network Security Groups (firewall Rules) around all subnets
- Audit/ review audit logs and alerts
- Monitor systems for availability and performance issues/ proactively take action
- Monthly Operation System, Database, Web application vulnerability scanning using approved scanners
- Monthly baseline compliance scanning (CIS/STIG)
- Patch and vulnerability management
- Configuration Management
- Malware prevention and Intrusion prevention
- Have a dedicated Incident Response and Analysis Team
- Have a Contingency and Disaster Recovery Planning and recovery team
- Managed 3PAO Scanning and Penetration Testing of the Application
- Provides Monthly Application-level scan results and findings to the authorizing official when required
Furthermore, navigating the bureaucracy, conflicting requirements to obtain authorization, and getting a federal agency to sponsor an ISV solution are very difficult to accomplish.
But is “doing it yourself” the right thing to do?
ISVs can focus on what matters the most
ISVs run key applications in the cloud to take advantage of lower-cost, scalability, and global availability. The ability to leverage the cloud for hosting, developing, securing, and assuring compliance of their applications, enables them to focus on transforming their applications through innovative architectures, and end users’ experience, to deliver a unique solution to their customers. By outsourcing the entire cloud migration and experience to cloud service providers, ISVs can direct the company’s effort to develop and sell their applications and grow their business.
Isn’t that what matters the most?
For more information about our ISV programs, contact sales: firstname.lastname@example.org