Have you ever heard of “shift left”? It hasn’t been in my vocabulary until recently either. Left shift is a term used by information technology (IT) developers and DevOps types to describe the willingness to push operational testing and cybersecurity technologies further higher in the development cycle – or towards the left if you imagine a graph showing the development cycle over time, progressing from left to right.
Left-shift concepts will become more important as the cloud world focuses on building apps that can run anywhere, on any cloud or platform. The left turn will involve building more automation, security, and networking functionality directly into the application, so that application code can orchestrate and automate infrastructure requests, including security, depending on the needs of the application. This is also a concept known as the “as code” model in the industry (networking as code, security as code, etc.)
NetEvents Panel Highlights Shift Left
This topic emerged as the big winner from the recent NetEvents Interactive webinar on January 11, where I moderated a panel of experts. Many of the tech leaders on the panel, who were targeting tech trends for 2022, agreed that there were plans to put more emphasis on the left turn.
“Two big topics in today’s cyber world [include] supply chain risk and how to secure from the first phase of building applications – in other words, we call it ‘shifting left’ in the world of cybersecurity,” said Hiro Rio Maeda , managing partner at DNX Ventures, a venture capital firm.
Galeal Zino, founder and CEO of NetFoundry, agreed.
“Unless we can move to the left, unless we can move networking and security to the heart of the development lifecycle… it’s too late. And that’s a real big difference from the world of 10 to 20 years ago, where networking and security could be outside at the edge on day two. [operations].”
That’s the code, stupid
The supply chain risks Maeda refers to were highlighted by the SolarWinds hack debacle, in which the bad guys inserted malicious code into a SolarWinds software update. SolarWinds is a network management system installed on thousands of devices. An estimated 18,000 or more people downloaded the malicious code, which hackers then used to penetrate deep into the networks. SolarWinds CEO Sudhakar Ramakrishna, hired after the breach, estimated that around 100 companies and agencies were compromised, including the Cybersecurity and Infrastructure Agency.
Many security tools are designed to detect vulnerabilities or threats after the fact, that is, when the bad guys are already there. The idea of the left shift is that security code and policy can be implemented earlier in the development process, like a zero-trust policy. approach that checks code and changes across multiple vectors to stop threats before they are connected.
This approach is badly needed in a world that constantly promotes accelerated software development processes, especially in the cloud – an approach called continuous integration and delivery services, or CI/CD.
Moving to the left, the idea is to test code and check for vulnerabilities as it develops as part of the DevOps process. The idea is particularly powerful because the cloud has shattered the idea that there is an organization’s security “perimeter”. With nearly everyone using the cloud and/or the internet ubiquitously, there are no gates or gates to defend – attackers can be in the code itself.
Zero Trust and confidential cloud
It’s clear to me that two of the areas that need to be moved left include networking functionality as well as cybersecurity, which were discussed in our Trends 2022 panel. The specific cybersecurity approaches that we believe will win ground in 2022 include zero trust and confidential cloud. Both of these can benefit from a left shift.
Zero trust is a principle more than a technology, but it is applied in many different areas of cybersecurity. The idea is that an application, network or service should not trust any person, connection or device. Instead, it should assume everything is hostile and check the connection and identity of users (whether human or machine) across multiple vectors. This includes verifying a signed user, network, device or application identity.
NetFoundry’s Zino believes in Zero Trust, which is the network approach principle as his company’s code.
“You put the ability into application code to generate a secure, by design, session-specific overlay,” Zino said.
Another emerging area is confidential computing, or confidential cloud as we call it at Futuriom. The confidential cloud addresses an even deeper need for cloud security: processing in the chips themselves. One of the challenges of the cloud operations model is that customers aren’t sure what’s going on with data or application security in the various cloud services they use, and they want more assurances than everything is secure. Confidential cloud seeks to encrypt data and application data at the memory and hardware level of the cloud infrastructure, while giving control of that security to the organizations that operate the applications. This concept is called “safe enclave”. Imagine cloud processing power encrypted and memory-locked so customers can segment and secure their data. This is desperately needed in cloud infrastructure to give organizations confidence that their data is safe, even while it’s in process.
Anjuna Security is one of the startups involved in this market. Ayal Togev, CEO and co-founder of Ajuna, says Confidential Cloud is part of the left-wing movement to provide better security for cloud applications.
“The big challenge that organizations see with the cloud is [that] The cloud advantage also creates this huge security problem, Togev said. “The cloud is basically someone else running your infrastructure. By definition, if someone manages your infrastructure, they have access to all your data.
How to solve this problem ? The confidential cloud will come in the form of many different technologies that encrypt and segment specific application streams at the memory and chip level in the cloud. This is a third security domain – data in use – which is less mature than domains such as data in motion (networking) or data at rest (storage). The confidential cloud will deal with the security of data and code inside the memory space of a chip operating system. For more information on the companies involved, you can consult the Confidential Computing Consortium.
“The challenge now is that everything is updated and there are all these different components, all these different parts that are updated all the time,” Togev said. “It’s a huge challenge, but it’s also a huge opportunity because what you can do is you can compartmentalize [application code] which brings you back to the world of micro-segmentation.
Thus, the left turn will have a significant impact on the security movement and is also part of the DevSecOps movement, which aims to mainstream security.
But turning left also goes beyond safety. Networking, which is closely related to cybersecurity, will also be a big part of the picture.
In short, we can expect the left-turn mindset to permeate many layers of the cloud infrastructure – network, code, operating systems, and hardware down to the memory level. All of this needs to happen to implement better security policy and techniques in code that runs in the cloud.
Yes, shift left may be another buzz phrase to follow, but it’s an important phrase that will have a big impact on how applications interact with the infrastructure. You will hear a lot more about the shift left in the cloud community in 2022.