Never heard of the “shift left”? It hasn’t been in my vocabulary until recently, either. The shift left is a term used by information technology (IT) developers and DevOps types to describe the drive to push more operational testing and cybersecurity technologies further up in the development cycle – or to the left if you imagine a chart showing the development cycle over time, progressing from left to right.
Shift left concepts will become more important as the cloud world focuses on building applications that can run anywhere, on any cloud or platform. The shift left will entail building more automation, security, and networking features directly into the application, so that the code of the application can orchestrate and automate infrastructure demands, including security, based on the application needs. This is also a concept known as the “as code” model in the industry (networking as code, security as code, etc.)
NetEvents Panel Highlights Shift Left
This topic emerged as the clear winner in the recent NetEvents Interactive webinar on January 11, where I acted as the moderator of a panel of experts. Many of the technology leaders on the panel, which targeted technology Trends for 2022, agreed that more emphasis on the shift left was in the cards.
“Two big topics in the cyber world today [include] supply-chain risk and how to secure at the earliest phase of application building — in other words, we are calling it ‘shift left’ in the cybersecurity world,” said Hiro Rio Maeda, Managing Partner with DNX Ventures, a venture capital firm.
Galeal Zino, Founder and CEO of NetFoundry, agreed.
“Unless we can shift left, unless we can move networking and security into the heart of the development delivery lifecycle … it’s too late. And that’s a real important difference from the world 10-20 years ago, where networking and security could be on the outside on the periphery in day two [operations].”
It’s the Code, Stupid
The supply-chain risks that Maeda refers to were highlighted by the SolarWinds hacking debacle, in which the bad guys inserted malicious code into a SolarWinds software update. SolarWinds is a networking management system installed on thousands of devices. It’s estimated that 18,000 people or more downloaded the malicious code, which hackers then used to get inside the heart of networks. SolarWinds CEO Sudhakar Ramakrishna, hired after the breach, estimated that about 100 companies and agencies were compromised, including the Cybersecurity and Infrastructure Agency.
Many security tools are designed to detect breaches or threats after the fact – when are the bad guys are already in. The idea of shift left is that security code and policy can be implemented earlier in the development process, such as a zero-trust policy approach that verifies code and changes from several vectors to stop threats before they are plugged in.
This approach is sorely needed in a world that is constantly hyping accelerated software development processes, especially in the cloud – an approach referred to as continuous integration and delivery services, or CI/CD.
By shifting left, the idea is to test code and look for vulnerabilities as its being developed as part of the DevOps process. The idea is especially powerful because the cloud has broken down the idea that there is a security “perimeter” of an organization. With almost everybody pervasively using the cloud and/or the Internet, there are no gates or doors to defend – the attackers can be in the code itself.
Zero Trust and Confidential Cloud
It’s clear to me that two of the areas that need to shift left include networking functionality as well as cybersecurity, which were discussed on our Trends for 2022 panel. Specific cybersecurity approaches that we think will gain traction in 2022 include zero trust and confidential cloud. Both of these can benefit from a shift left.
Zero trust is a principle more than a technology, but it is being applied in many different areas of cybersecurity. The idea is that an applications, a network or a service should not trust any person, connection, or device. Instead, it should assume that everything is hostile and verify the connection and the identity of the users (whether human or machine) across multiple vectors. This includes verifying a signed identity of the users, the network, a device, or an application.
NetFoundry’s Zino believes in zero trust, which is the principle behind his company’s networking-as-code approach.
“You put the capability into the application code to generate a secure, by-design overlay, specific to its session,” said Zino.
Another emerging area is being referred to as confidential computing, or confidential cloud as we are calling it at Futuriom. Confidential cloud addresses an even deeper need in cloud security – the processing in the chips themselves. One of the challenges of the cloud operations model is that customers aren’t sure what’s happening with data or applications security inside the various cloud services they are using, and they want more assurances that it’s all secure. Confidential cloud seeks to encrypt data and application data at the memory and hardware level of cloud infrastructure, while in turn giving control over this security to the organizations operating applications. This concept is referred to as a “secure enclave.” Picture the cloud processing power being encrypted and locked down at the memory level so that clients can segment and secure their data. This is desperately needed in the cloud infrastructure to give organizations assurances that their data is safe, even while it’s being processed.
Anjuna Security is one of the startups involved in this market. Ayal Yogev, CEO and Cofounder of Ajuna, says that confidential cloud is all part of the shift left movement to provide better security for apps in the cloud.
“The big challenge that organizations are seeing with the cloud is [that] he benefit of the cloud also creates this huge security problem, said Yogev. “The cloud is essentially somebody else managing your infrastructure. By definition, if somebody is managing your infrastructure, they have access to all of your data.”
How to fix that? Confidential cloud will come in the form of many different technologies that encrypt and segment specific applications flows at the memory and chip level in the cloud. This is a third area of security – data in use – which is less mature than areas such as data in motion (networking) or data at rest (storage). Confidential cloud will address the security of data and code inside of the memory space of an operating system of a chip. For more information about the companies involved you can take a look at the Confidential Computing Consortium.
“The challenge now is that everything is being updated and there’s all these different components, all these different pieces being updated all the time,” said Yogev. “That’s a huge challenge, but it’s also a huge opportunity because what you can do is you can compartmentalize [application code] which brings you back to the world of micro-segmentation.”
So, shift left will have a significant impact on the security movement and is also part of the DevSecOps movement, which aims to integrate security.
But shift left also goes beyond security. Networking, which is closely tied to cybersecurity, will also be a big part of the picture.
In short, we can expect the shift-left mindset to permeate many layers of cloud infrastructure – networking, code, operating systems, and hardware down to the memory level. All this needs to happen to implement better security policy and techniques in the code that runs in the cloud.
Yes, shift left might be another buzzphrase to track, but it’s an important one that will have big impact on the way that applications interact with infrastructure. You will be hearing a lot more about the shift left in the cloud community in 2022.