DEV Community: Laurent Balmelli, PhD

How Secure Cloud Development Replaces Virtual Desktop Infrastructures

Laurent Balmelli, PhD — Wed, 19 Jun 2024 09:31:24 +0000

In this article, I discuss how modern virtualization and security advancements have led to technology that enables the online delivery of secure development environments, eliminating the need for a virtual desktop infrastructure and secure development laptops.

Why Do Organizations Need Secure Development Environments?

The need to secure corporate IT environments is common to all functions of organizations, and software application development is one of them.

At its core, the need for securing IT environments in organizations arises from the digital corporate assets that they carry. It’s often data attached to privacy concerns, typically under regulations such as GDPR or HIPAA, or application source code, credentials, and most recently operational data that can have strategic significance.

Threat scenarios attached to corporate data are not only bound to leaking data to outsiders but also preventing insiders with nefarious intent to exfiltrate data. Hence the security problem is multifaceted: it spans from careless asset handling to willful mishandling.

In the case of environments for software application development, the complexity of the security problem lies in addressing the diversity of these environments’ settings. They range from data access needs and environment configuration to the developer’s relationship with the company, e.g. internal employee, consultant, temporary, etc.

Security left aside, development environments have notoriously complex setups and often require significant maintenance because many applications and data are locally present on the device’s internal storage, for example the integrated development environment (IDE) and the application’s source code.

Hence, for these environments data protection against leaks will target locally stored assets, i.e. source code, credentials, and potentially sensitive data.

Assessing the Risk of Locally Stored Data

Let’s first take a quick step back in ICT history and look at an oft-cited 2010 benchmark study is named The Billion Dollar Lost Laptop Problem. The study looks at 329 organizations over 12 months and reports that over 86,000 laptops were stolen or lost, resulting in a loss of 2.1 billion USD, an average of 6.4 million per organization.

In 2010, the use of the Cloud as a storage medium for corporate data was nascent, hence today, the metrics to determine the cost and impact of the loss of a corporate laptop would likely look very different.

For example, for many of the business functions that were likely to be impacted at that time, Cloud applications have brought today a solution by removing sensitive data from employees’ laptops. This has mostly shifted the discussion on laptop security to protecting the credentials required to access Cloud (or self-hosted) business resources, rather than protecting locally stored data itself.

Figure: In 2024, most business productivity data has already moved to the cloud. Back in the 2010s, a notable move was CRM data, which ended up greatly reducing the risk for corporate data leaks.

There is, though, a notable exception to the above shift in technology: the environments used for code development. For practical reasons, devices used for development today have a replica of projects’ source code, in addition to corporate secrets such as credentials, web tokens, cryptographic keys and perhaps strategic data to train machine learning models or to test algorithms.

In other words, there is still plenty of interesting data stored locally in development environments that warrant protection against loss or theft. Therefore, the interest in securing development environments has not waned.

There are a variety of reasons for malicious actors to go after assets in these environments, from accessing corporate intellectual property (see the hack of Grand Theft Auto 6), to understanding existing vulnerabilities of an application in order to compromise it in operation.

Once compromised, the application might provide access to sensitive data such as personal user information, including credit card numbers. See for example, the source code hack at Samsung. The final intent here is again to leak potentially sensitive or personal data. Recent and notorious hacks of this kind were password manager company LastPass’ and Mercedes hack in early 2024.

Despite all these potential downfalls resulting from the hacking of a single developer’s environment, few companies today can accurately determine where the replicas of their source code, secrets and data are (hint: likely all over the devices of their distributed workforce), and are poorly shielded against the loss of a laptop or a looming insider threat. Recall that, using any online or self-hosted source code repositories such as GitHub does not get rid of any of the replicas in developers’ environments. This is because local replicas are needed for developers to update the code before sending it back to the online Git repository. Hence protecting these environments is a problem that grows with the number of developers working in the organization.

Use Cases for Virtual Desktops and Secure Developer Laptops

The desire to remove data from developers’ environments is prevalent across many regulated industries such as Finance and Insurance. One of the most common approaches is the use of development machines accessed remotely.

Citrix and VMware have been key actors in this market by enabling developers to remotely access virtual machines hosted by the organization. In addition, these platforms implement data loss prevention mechanisms that monitor user activities to prevent data exfiltration.

Figure: Left - Developers to remotely access virtual machines hosted by the organization. Right - Virtualization has evolved from emulating machines to processes, which is used as a staple for DevOps.

Running and accessing a virtual machine remotely for development has many drawbacks in particular on the developer’s productivity. One reason is because the streaming mechanism used to access the remote desktop requires significant bandwidth to be truly usable and often results in irritating lags when typing code.

The entire apparatus is also complex to set up as well as costly to maintain and operate for organization. In particular, the use of a virtual machine is quite a heavy mechanism which requires significant computational resources (hence cost) to run.

Finally, such a set-up is general-purpose, i.e. it is not designed in particular for code development and requires the installation of the entire development tool suite.

For the reasons explained above, many organizations have reverted to securing developer laptops using end-point security mechanisms implementing data loss prevention measures. In the same way as for the VDI counterpart, this is also often a costly solution because such laptops have complex setups. When onboarding remote development teams, organizations often send these laptops through the mail at great expense, which complicates the maintenance and monitoring process.

The Case for Secure Cloud Development Environments

Recently, virtualization has evolved from emulating entire machines to the granularity of single processes with the technology of software containers. Containers are well-suited for code development because they provide a minimal and sufficient environment to compile typical applications, in particular web-based ones. Notably, in comparison to virtual machines, containers start in seconds instead of minutes and require much fewer computational resources to execute.

Containers are typically a tool used locally by developers on their devices to isolate software dependencies related to a specific project in a way that the source code can be compiled and executed without interference with potentially unwanted settings.

The great thing about containers is that they don’t have to remain a locally used development tool. They can be run online and used as an alternative to a virtual machine. This is the basic mechanism used to implement a Cloud Development Environment (CDE).

Figure: Containers can be run online and become a lightweight alternative to a virtual machine. This is the basic mechanism to implement a Cloud Development Environment.

Running containers online has been one of the most exciting recent trends in virtualization aligned with DevOps practices where containers are critical to enable efficient testing and deployments. CDE are accessed online with an IDE via network connection (Microsoft Visual Studio Code has such a feature as explained here) or using a Cloud IDE (an IDE running in a web browser such as Microsoft Visual Studio Code, Eclipse Theia and others.)

A Cloud IDE allows a developer to access a CDE with the benefit that no environment needs to be installed on the local device. Access to the remote container is done transparently. Compared to a remotely executing desktop as explained before, discomfort due to a streaming environment does not apply here since the IDE is executing as a web application in the browser. Hence the developer will not suffer display lags in particular in low bandwidth environments as is the case with VDI and DaaS. Bandwidth requirements between the IDE and the CDE are low because only text information is exchanged between the two.

Figure: Access to the remote container is done with an IDE running in a web browser, hence developers will not suffer display lags in particular in low bandwidth environments.

As a result, in the specific context of application development, the use of CDEs is a lightweight mechanism to remove development data from local devices. However, this still does not achieve the security delivered by Citrix and other VDI platforms, because CDEs are designed for efficiency and not for security. They do not provide any data loss prevention mechanism.

This is where the case to implement secure Cloud Development Environments lies: CDEs with data loss prevention provide a lightweight alternative to use of VDI or secure development laptops, with the additional benefit of an improved developer experience. The resulting platform is a secure Cloud Development platform.

Using such a platform, organizations can significantly start to reduce the cost of provisioning secure development environments for their developers. In this additional article, I explain how such a platform is implemented.

Figure: To become a replacement for VDIs or secure laptops, Cloud Development Environments need to include security measures against data leaks.

Moving From Virtual Desktops to Secure Cloud Development Environments

As a conclusion to this discussion, below I briefly retrace the different steps to build the case for a secure Cloud-based development platform that combines the efficient infrastructure of CDE with end-to-end data protection against data exfiltration, leading to a secure CDE. This evolution is represented in the following figure.

In the early 2010s, secure developer laptops were used to directly access corporate resources sometimes using a VPN when outside the IT perimeter. According to the benchmark study that I mentioned at the beginning of this article, 41% of laptops routinely contained sensitive data according to the study that I mentioned at the beginning of this article.

At this time, the use of virtual machines and early access to web applications has allowed organizations to remove data from local laptop storage. But code development on remote virtual machines was and remains strenuous.

Around 2015, the use of lightweight virtualization based on containers has allowed quicker access to online development environments, but the focus of platforms in this space has been primarily on productivity.
Finally, a secure Cloud Development Environment platform as shown in the rightmost part of the figure below illustrates the closest incarnation of the secure development laptop.

Secure CDEs benefit from the experiences of pioneering companies like Citrix, seizing the chance to separate development environments from traditional hardware. This separation allows for a blend of infrastructure efficiency and security without compromising developers' experience.

Figure: A representation of the technological evolution of mechanisms used by organizations to provision secure development environments, across the last decade.

Securing Development: Key Differences in Virtual Desktops, Enterprise Browsers and Cloud-Based Development

Laurent Balmelli, PhD — Thu, 23 May 2024 10:29:12 +0000

Which technology to secure development? Check the top differences between virtual desktops, enterprise browsers, and secure cloud development environments.

Many organizations struggle to keep an application development workflow that is secure against data leaks, while jointly preserving developers’ experience and productivity. This challenge has driven market demand for secure development environments especially due to developers being increasingly targeted by hackers. Breaches are notably around source code and credentials (see also this report), some leading to personal information leaks.

In this article, I’ll start with a quick rundown of the technologies available to organizations to address this challenge. Then, I’ll compare them across three dimensions: their applicability to support an application development process, their focus on security, and their impact on developer experience. At the end of this article, I’ll give a nuanced conclusion, in the sense that choosing any of these technologies shouldn’t necessarily be clear-cut. In other words, mixing them could even be beneficial in some cases.

What Are Virtual Desktops?

The need to protect the development workflow has led to the emergence of technologies such as virtual desktops notably from organizations such as Citrix (Virtual Desktop Infrastructure, or VDI) and VMWare (Horizon), etc. These are general-purpose desktops (Windows or Linux), where developers can install applications like Integrated Development Environments (IDE), and DevOps tools (e.g. container management) and access web applications supporting their workflow. In effect, remote access to a virtual desktop removes the need to maintain sensitive data on the local device. In addition, it provides access to an alternative source of computing power to build applications. A typical access method for the remote desktop is the Remote Desktop Protocol (RDP) which streams the desktop image to the local device.

What Are Enterprise Browsers?

More recently, enterprise browsers, with companies such as Island, Talon, and Citrix, have appeared as web-based alternatives to Virtual Desktops, although the focus is securing access to web applications, typically SaaS services, as opposed to providing access to a desktop. However, these browsers also support protocols such as RDP to provide access to remote desktops (also as virtual machines). Vendors in this field often position themselves as a VDI replacement. A marked difference is that their offerings typically do not include computing resources (unlike Citrix and VMWare’s offerings). Hence, it is likely that organizations adopt them in the scope of a broader infrastructure set-up including Desktop-as-a-Service (DaaS) when computing resources are needed.

What Are Secure Cloud Development Environments?
As a means to secure an application development process, recent technology is Secure Cloud Development Environments (CDEs) and the associated platform used to manage them. The basic role of such a platform is to provide online access to development environments with security mechanisms via an IDE, in addition to providing secured access to the web applications used by developers (e.g. for code management). For the latter, a technology similar to the one used for enterprise browsers is used.

The combination of remote access via IDE and secured web browsing aims at protecting the entire developer workflow against data leaks. Like in the case of a virtual desktop, local development data is in effect “removed” from local devices and computing is delivered via the Cloud. Hence, secure CDEs can be seen as a technology blending aspects of the previous two presented here.

The figure below depicts the three technologies compared in this article.

Figure: _From left to right, a thin client accesses a remote desktop, while an enterprise browser provides access to both web applications and remote desktops via RDP. On the right, a secure CDE platform provides a combination of remote access to a development environment via an IDE and secure web browsing. _

Comparison of the Technologies

Let's dive now into key differences between the three technologies and highlight roles and benefits. Note that, albeit virtual desktops and enterprise browsers are business process-agnostic, I only discuss their application in securing application development here.

Code Development Applicability

Virtual Desktops

In the context of code development virtual desktops are used across business units, but more commonly in scenarios involving the onboarding of remote developers, implementation of BYOD policies, and others requiring centralized control and security over remote desktop environments, mostly Windows-based (although Linux hosts are also used).

Any code development activities are performed on a generic desktop, which typically requires the installation of tools such as an IDE to start coding. As illustrated in the picture below (left), the remote desktop is used to code using the IDE and access a code management application. The remote desktop is also the primary source of compute to build applications.

Enterprise Browsers

When used in the scope of a development process, an enterprise browser acts as a web front-end to access a remote desktop set-up for development (via RDP). Because secure browsers impose fewer infrastructure constraints than virtual desktops, they can be more easily deployed across both internal and remote developers. Still, enterprise browsers do not provide any development environments by themselves, hence in this setting, they are merely the front-end to an existing park of development machines (physical or virtual), accessed via the browser client.

Hence, in the scope of a development process where a source of compute is needed, the setup is similar to a virtual desktop. A small difference is that the code management application in this case can be accessed securely using the browser on the developer device as opposed to a browser running on the virtual desktop. Here too, the remote desktop is the primary source of compute to build applications. This is shown in the middle part of the figure below.

Secure Cloud Development

A secure CDE Platform is designed to onboard both internal and remote developers (incl. BYOD) on centrally managed and standardized environments. To run environments, the platform relies on lightweight virtualization using containers (i.e. a virtual process) as opposed to a virtual machine. Hence set-up and operations are much more efficient and more scalable because containers require fewer resources. Hence it is easy and economical to assign multiple environments to a single developer. Each container has its own source of compute and is easy to set or reconfigure without any loss of data.

Figure: From left to right, in both the cases of virtual desktops and enterprise browsers, a virtual machine hosts all the tools, computing power and provides connection to DevOps services. Secure Cloud Development provides access via IDE and secure browser to containerized environments and services, respectively.

The striking difference with a remote desktop is that developers do not need a desktop to develop applications. The platform is primarily suited for cloud-native, i.e. web-based (back-end/front-end) and mobile development (left part in the next figure). The Cloud environment is accessed directly via the IDE and developers typically run web applications on an environment’s port. The running application is then accessed via a local web browser. Note that it is possible to run a desktop on the containers if needed. In this case, it is steamed over a port and accessed via the browser as well (right part of the figure below).

Figure: _Secure Cloud-based development does not require a desktop to build backend, web, and mobile applications. The same mechanism used to run applications on containers lets users access a desktop when necessary. _

Security Focus of the Technologies

What about their security focus?

Virtual Desktops and Enterprise Browsers

Virtual desktops secure the end-user environment by centralizing data and desktop applications, reducing endpoint vulnerabilities. Both Citrix and VMWare clients offer data leak prevention (DLP) measures that protect from data exfiltration via system hardening measures encompassing user access, data egress restrictions, etc.

Enterprise browsers aim to protect the organization from phishing, malware, and other threats when accessing web applications, and from user operations that could result in data leaks, including insider threats using DLP as well.

In the case of enterprise browsers, security measures are primarily “client-focused”, because users do not have access to the backend of the application they use. Security measures are more complex and include network policies in the case of virtual desktops. Such policies might be necessary to avoid data exfiltration using internet connectivity once on the remote application. This shows a potential limitation of Enterprise browsers as a VDI replacement when accessing desktops: it is likely that no secure measures are provided to protect from operations on the desktop. However, this aspect could depend on the vendor-dependent.

Secure Cloud Development

A secure CDE platform focuses on securing data in development environments and web applications against exfiltration. This is akin to client-side DLP.

The platform also provides “back-end DLP” by protecting access to the data used for development. This is achieved by controlling the network and providing authentication services to the organization’s resources.

Although a CDE-based infrastructure is simpler than a virtual desktop counterpart, it is indeed this simplicity that allows it to build a more holistic approach to data loss prevention with minimal impact on the local device used to access the platform.

An additional aspect is that, because a secure CDE platform is designed to support application development, security mechanisms can beneficially use the context to make security a productivity enabler as opposed to a hassle.

Impact and Benefits to Developer Experience

Accessibility to the platform and more generally the developer experience are important factors when assessing the fitness of these technologies to support development.

Virtual Desktops lets developers interact with a remote desktop via a locally installed client by streaming the image of the remote desktop to the client. Such access protocol often suffers from latency due to network requirements, which unfortunately impacts the developer experience (check this real-life story).

Enterprise browsers let developers access web applications without usability issues However, because developers need access to a remote desktop for coding, this requires again the use of a streaming protocol such as RDP and results in display latency impacting the developer experience and productivity.

Figure: In the case of a secure CDE platform, the IDE used for coding (right part) is not streamed to the desktop and rendered locally, which preserves the developer’s experience. In comparison, secure browsing might be implemented using streaming (left part).

A secure CDE platform provides developers access to the online development environment via a web-based IDE, and to web applications via a secure browser. The web-based IDE is a web application on its own and renders natively in the browser on the developer’s device. Hence no streaming is required which provides optimal developer experience (see the above figure).

In contrast, the chosen implementation for the secure browser can impact the experience. However, in practice, developers spend the majority of their time in the IDE and use web applications for less frequent operations such as pull requests.

Opportunities When Combining Technologies

In general, virtual desktops and enterprise browsers play an important role across enterprise business processes by providing general-purpose security for desktops and web applications, each with distinct infrastructure requirements and performance outcomes. Historically, virtual desktops have been a staple in the enterprise environment, representing the oldest technology among the ones that I discussed in this article.

In comparison, enterprise browsers are designed as a lightweight alternative to virtual desktop infrastructure. They are however optimized mainly for SaaS applications delivered through the web. Their utilization for accessing developer desktops via RDP is akin to a modern reinterpretation of virtual desktops via a web browser.

To protect the application development process, a secure Cloud Development Environment (CDE) platform centralizes all essential resources, including access to clients (IDE and web applications) and development environments, in one place. The targeted usage allows the platform to offer context-specific security and preserves the developer experience when working in a secure environment.

In a larger organizational context, integrating a secure CDE platform with virtual desktops or an existing enterprise browser setup might be necessary. This provides an opportunity to balance development productivity, security, and asset utilization optimally.

One key feature of a secure CDE platform is its use of a dedicated browser for safe access to web applications. This feature is particularly enhanced when integrated with an enterprise browser or application virtualization technologies. Essentially, this integration allows for replacing the CDE platform's secure browser with a more seamless solution and incorporates secure CDE technologies into the existing infrastructure.

This way, organizations can standardize security mechanisms across the infrastructure, ensuring access to legacy applications while modernizing application development. It also offers them an opportunity to improve asset utilization by leveraging lightweight virtualization for on-demand access to cheap computing power dedicated to development workloads (see the next figure),

In the implementation of a Virtual Desktop Infrastructure, incorporating a secure CDE platform elevates the developer experience by providing on-demand development environments (with associated computational resources) and bolstering data access security.

Figure: The combination of the secure CDE platform and the other technologies to fit different needs and scenarios in an enterprise setting.

In conclusion, integrations between secure CDE platforms, enterprise browsers, and virtual desktops provide opportunities for enhancing both the security and productivity of the development process, while jointly improving developer experience and resource utilization.

Although a secure CDE platform alone provides a contemporary approach to prevent data leaks during application development, it also delivers an opportunity to enrich the existing infrastructure ecosystem of modern organizations.

Published at Dev.to with permission of Laurent Balmelli, PhD. See the original article here.

Rediscovering DevOps’ Heartbeat With Secure Cloud Development Environments

Laurent Balmelli, PhD — Thu, 23 May 2024 09:24:10 +0000

How Cloud Development Platforms “Elevate” DevOps

Let me start by briefly explaining what a Cloud Development Environment is: typically running a Linux OS with applications, it offers a pre-configured environment that allows for coding, compilation, and other operations similar to a local environment. From an implementation standpoint, such an environment is akin to a remotely running process, often virtualized through technologies like Docker or Podman. For a general overview of CDEs, check this article.

CDE technology is driving the fastest DevOps transformation trend today with the entire cloud-native development industry moving development environments online. These environments just became one of Gartner's new technology categories in August 2023. Notably, Gartner expects 60%+ of cloud workloads to be built and deployed using CDEs by 2026.

Figure: Online containers can be leveraged at the heart of the DevOps' Three Ways

Today, organizations can decide to manage them with a self-hosted platform or use one of the services attached to a Cloud provider when available. Yet overall, platforms to manage these environments are today in their infancy and their features widely differ across vendors. Hence, there is a great deal of flexibility on how to implement the technology and, most importantly, what the business use cases cover.

In my opinion, when faced with choosing a platform for CDEs, businesses should opt for one that delivers both productivity and data security. Using a secure Cloud Development Environment, i.e. one that provides data security allows organizations to deploy mechanisms that are quite diverse, for example: protect against data exfiltration and infiltration, automate DevSecOps best practices, generate security reviews, etc. This type of security is typically the aim of a Virtual Desktop Infrastructure by Citrix or more recently, the goal of using an Enterprise Browser (Island, Talon, or Chrome Enterprise.)

A reason for that is that many companies, including technology companies, have suffered attacks on their assets such as source code, customer data, and other intellectual property. Recent high-profile cases around source code leaks include Slack's GitHub repositories, CircleCI, and Okta in December 2022. Most importantly I find it important that security should be positioned as a productivity booster, such that it contributes to an improved developer experience, as opposed to an impediment.

One of the common denominators between existing platforms is the aim to make code development more efficient. Whether or not you choose to consider security in the mix, it is clear that CDEs can potentially unleash a great amount of productivity that benefits a DevOps workflow. This is the reason why I take here a fresh look at DevOps’ core principles and rethink how these environments can shed new light on them. These principles are also referred to as the three ways and are explained in The DevOps Handbook by Kim, Debois, and Willis.

Online Environments Accelerate DevOps' Principle of Flow

From a process perspective, DevOps is about implementing the three principles (or ways): namely the principles of flow, feedback, and continuous learning. I think that explaining the benefits of CDEs in this context is a good way to understand some of their key impacts in my opinion.

Figure: _DevOps’s three ways, i.e. Flow, Feedback and Continuous Learning as pictured in The DevOps Handbook by Kim, Debois, and Willis
_

Let’s start with the_ principle of flow_. The first principle emphasizes the smooth and efficient movement of work from development through testing, and deployment down to operations and monitoring. It aims to minimize bottlenecks, optimize processes, and enable a continuous and seamless delivery pipeline. The flow is often represented by the series of stages arranged along the infinity sign.

CDEs are an efficient way to implement the principle of flow because they allow users to have fully isolated workspace settings when dealing with multiple projects, enabling straightforward and impactless context switching between them.

A good CDE platform provides developers with multiple tools to manage and configure their CDEs, in particular, based on company policies. For example, self-service access to CDEs for developers is an important benefit.

CDEs are also easily replicated for testing and can be reassigned across users as necessary. They can be fully templated, provisioned within seconds on pliant resources, and accessed by any developer regardless of their location. Here, a good CDE platform offers comprehensive operations to project and IT managers that enable CDE management and observability at scale.

Figure: The use of CDEs starts at the DevOps’ Code stage and enables organizations to maintain consistent environments across stages. A CDE and its access mechanisms are represented by a tile and a series of icons, respectively.

Clearly, the online deployment of CDEs allows centralized management, observability, and access in such a way that it really enhances DevOps' principle of flow.

Today the inclusion of remote developers is part of most organizations' operations. The online nature of CDEs is great for onboarding developers in fully configured environments, regardless of their location. Providing access to the organizations’ resources is also an important aspect of onboarding. Here, CDEs provide a new opportunity to access development resources in a centralized manner, in particular one that offers enhanced control and observability.

To couple productivity with flexibility, a good CDE platform must provide an access permission model to resources that allow handling different types of developers, different scenarios of development (internal, collaborative, etc), and different types of resources. For example, a role-based and attribute-based access control (RBAC/ABAC) coupled with a mechanism to classify resources enables organizations to set up risk controls and ensure governance even in complex workflow situations. This greatly enhances the possibility of designing efficient and collaborative development flows.

Figure: Onboarding a diverse set of developers requires a mechanism to manage access permission to resources based on role. Permissions can also be assessed dynamically based on properties such as the user location, etc.

Finally, one of the great aspects of the joint use of CDEs and Web-based IDEs is that onboarding developers on thin devices or in BYOD mode become an immediate accelerator for business expansion.

How To Bring Immediacy to DevOps’ Principle of Feedback

The principle of feedback involves establishing mechanisms for communication and collaboration between different stages of the development and operations processes. This includes collecting feedback from various sources, such as end-users, monitoring systems, and testing processes. An important aspect of this principle is that it enables better collaboration between developers.

The second principle of DevOps is best exemplified by the Pull Request (PR) mechanism implemented in code repository applications. Using a PR, developers can provide comments on the work submitted from a branch before it is merged into the application.

The online nature of CDEs brings the principle of feedback even closer to the developer, i.e. before work reaches the code repository, i.e. right at the center of the coding activity. This benefit is realized by the CDEs often in conjunction with the mechanisms to access or monitor it, such as the IDE, terminal, network, orchestration, etc.

Because CDEs are online running processes, it is easy to observe the work as it's being done. This is reminiscent of observing the user experience of website visitors. In my opinion, this is the area where there is the most opportunity for bringing productivity and security at the core of the development.

*Figure: * Because CDEs can be accessed remotely, it is easy to measure some of their properties such as running processes and allocated resources.

For example, it is easy to measure in real-time, over a fleet of CDEs, e.g. shared by developers working on a common project, the average compilation time necessary to build the application (see the above figure). This brings immediate and valuable information to the project manager about productivity.

It is also easy to look at the information passing through the developers' clipboard and the CDE's network traffic. Using these channels we can provide feedback to developers and managers. For example, from an infrastructure security perspective, it is easy to monitor for potential data exfiltration and prevent loss of intellectual property.

But through the same channel, one can also look for potential infiltration of pernicious data. For example, imagine that you can detect a credential inside a developer's clipboard, what about inquiring about the intention of the developer performing this operation? The same is possible when a developer is about to paste source code collected from a random website inside your code base. Would you like to flag it and automate the creation of a security review? What about detecting malware before it reaches your code base or systematically flagging AI-generated code?

Figure: The control on CDEs and their supporting infrastructure is an opportunity to semantically analyze input data such as credentials, licensed source code, and potential malware. Similarly, it allows setting data leak prevention measures.

Clearly, CDEs and the infrastructure components that are used to funnel data into them are a medium to bring a new crop of best practices in DevOps and DevSecOps and revisit DevOps’ principle of feedback. Through the examples that I gave above, you can see that infrastructure security can liaise with the principle of code security!

A good CDE platform will definitely provide an artillery of new and creative DevOps and DevSecOps automation. In addition, there is a great opportunity to revisit standardized and accepted metrics such as DORA and SPACE to bring them closer to the activity that developers spend the most time on writing code in the IDE.

Close-Up on the Principle of Continuous Learning

Now let’s finish this discussion with the third principle, the principle of continuous learning. This principle underscores the importance of fostering a culture of ongoing improvement and learning within the development and operations teams. It involves regularly gathering feedback, analyzing performance metrics, and incorporating lessons learned from each stage of the development and deployment process to enhance efficiency and innovation.

The immediacy of web platforms and the opportunity that they bring around the observability of their running business processes also enables organizations to learn about themselves. This is a boon to increase the potential of continuous learning.

Initially, DevOps' expectations of continuous learning are around bettering applications in operation, i.e. in use by the customer. But when the entire development process is run as a cloud application, there are many valuable things that organizations can learn about their own platform-based development process.

Along that vein, CDE platforms bring a new level of observability and allow business optimization around several critical areas. I have discussed how organizations can learn about their performance around application delivery and its security posture. But they can also learn about cloud and physical assets' utilization, as well as monitor the cost of IT functions and resources allotted to development. The platform also brings a fantastic opportunity to centralize the implementation of productivity and risk controls while systematically enforcing them across geographically scattered teams. In practice, modern CDE platforms need to allow the simultaneous use of multiple Clouds across multiple regions. Most importantly, their capability to _uniformly deliver complex services _to organizations makes it easy to implement governance mechanisms that do not get in the way of users’ daily tasks.

Figure: DevOps’s principle of continuous learning can also apply to the development process itself. CDEs yield a new swath of process measurements that benefit governance, accountability, and risk controls.

In conclusion, good CDE platforms should bring a wealth of metrics and functionalities to organizations such that they retake control of a development process that is often scattered, non-uniform across hardware and applications, and at times obscured from a security perspective. This is why, in my opinion, the adoption trend will follow unabated. In addition, we should see a greater demand for the ability of CDE providers to enhance security controls while making sure they ultimately don't have any negative impact on developer productivity. Finally, developing CDE properties as a way to enhance the three ways of DevOps is a great framework to drive innovation in a meaningful way for the development community.

Published at Dev.to with permission of Laurent Balmelli, PhD. See the original article here.

Why and How We Made Our Cloud Development Environment Platform Secure

Laurent Balmelli, PhD — Wed, 14 Feb 2024 11:17:58 +0000

A short story of why and how we created the first secure CDE platform to address the dual challenge of enhancing the efficiency and security of the application development process, in particular of cloud-native applications. In addition, we compare our approach to other CDE platforms and look-alike solutions on the market.

How Should You Protect Your Development Workflow?

The deployment of a productive and secure application development process is often a struggle for many organizations. This is the main challenge that my partner and I have been trying to tackle since we created Strong Network.

The company name "Strong Network" was chosen to embody the power of collaboration and connectivity within the technology and development community, highlighting the strength that comes from a well-coordinated, productive network of developers working together. It represents the robust and secure infrastructure that facilitates the creation of superior IT products and solutions through smart associations between developers and applications. You can ask more about our company motto and platform through our custom GPT on OpenAI.

Increasingly, developers are being continuously and increasingly targeted by hackers, notably around credential theft (see also this report), leading to severe data breaches and exposing personal information and source code. For a long time, virtual desktops such as Citrix VDI, VM Horizon and others have been candidates to address this issue by providing data loss prevention measures. More recently, companies such as Island, Talon and others, position themselves as a web-based alternative to virtual desktops, although the focus is primarily securing access to web-applications (but desktop access is possible).

Here comes the kicker: these general-purpose technologies are fraught with usability and performance issues in the context of protecting code development. If you want to understand in detail how these technologies are used in the scope of development process security you can read this article.

Combine Security and Productivity with Cloud Development Environments

We created the first secure CDE platform to address the dual challenge of enhancing the efficiency and governance of the application development process within the DevOps cycle, while simultaneously safeguarding against data leaks.

Like other CDE platforms, the basic goal is to streamline container-based development environments (read “Coding Goes Online” to get the basics of CDEs), yet in our case we aim at the same time to provide robust security measures. Even better, we design security measures and controls such that they become part of the developer’s productive workflow.

Cloud Development Environments have become recently a technology category proposed by Gartner and Strong Network is mentioned as one of the vendors in it. CDEs are still early on Gartner’s Hype curve, but their support shows that the industry has clear incentives to move development environments online. Some of the benefits mentioned by Gartner are centralized management, ease of access to environments and better security. We got fixated on that last one.

Figure: Gartner Hype Cycle for Agile and DevOps, 2023 with the positioning of Cloud Development Environments.

In this other article, I delve into all the characteristics and benefits that secure CDEs bring, so that here, I can focus on the main conceptual differences between Strong Network’s platform and other CDE platforms.

How a Secure CDE Platform Is Different From Other Platforms

The central discussion of this article is to differentiate a secure CDE platform from other CDE platforms such as Codespaces, Google Workstation, OpenShift DevSpaces, and other smaller players on the market such as GitPod and Coder.

These platforms provide access to a CDE via an Integrated Development Environment (IDE) with the purpose of starting a coding task more rapidly. In other words, these platforms are primarily a productivity-enhancement play.

Notably. there is no goal of protecting the data in the IDE (or outside) from being leaked. In contrast, a secure CDE platform aims at jointly enhancing productivity and protecting the entire development workflow from data leaks. And this workflow extends beyond the IDE. This is the perspective that we took when designing the platform.

Figure: Development data flows across a series of tools during development, hence security is needed across workflow.

Although some of the platforms mentioned above make security claims, the only security measures that are delivered in effect are: in some cases, the platform is self-hosted (which is not really a security measure) and that, like for any CDE platform, the development data does not land on the developer’s physical device (because it remains in the online CDE.)

However, when working with any of the platforms mentioned above, it is actually trivial to leak data via clipboard or network operations, or steal any data repository credentials accessed via any one of these CDEs and leak data out of it, even if MFA is enabled. We actually tested all the existing platforms and were able to easily exfiltrate data.

How We Made Strong Network’s Platform Both Productive and Secure for Development

Hence for security goals against data leaks to be really fulfilled, adding data loss prevention (DLP) to the IDE -to protect the data from leaking via the developer’s operations- is a necessary yet insufficient measure.

The basic role of the secure CDE platform is to provide joint productivity and security during code development activities. From a process perspective, the platform manages development environments with native security measures against data exfiltration. Importantly, most security mechanisms can be made context-aware so that they have no impact on the developer’s workflow. Examples of security mechanisms that can be implemented are explained in this article.

Since data security must take a workflow perspective, the access to all DevOps applications part of the developer’s workflow (GitHub, GitLab, etc) must be secured as well. This is achieved through the joint use of a specialized secure browser available on the secure CDE platform and dedicated to access and use workflow applications. When enabled, all web applications necessary to the developer for collaboration (e.g. source code, task management) and DevOps are available via the secure browser.

Figure: The security settings for a user on the Strong Network platform are represented from a workflow perspective.

Hence, as you can see a secure CDE platform is in essence a conjunction of a secured IDE and a secure browser working together to protect the entire development workflow.

Actually, this puts the Strong Network platform in the same range of solutions as a virtual desktop infrastructure and potentially secure browsers when these technologies are applied to securing the development process. In this article, we provide more details on how a secure CDE platform compares to the above two approaches when it comes to secure coding activities.

The Future of Cloud Development Environments is Security

In summary, a secure CDE platform focuses on securing all data in development environments (the CDEs), web applications (GitHub, Jira, etc) used by the developer as well as the access to the organization data resources from the CDEs. Measures range from protection against data extraction via phishing attacks or malware, and against data leaks, including from insider threat.

The design of the platform allows control over the entire workflow, from coding in the IDE, using web applications to working in the CDE. Hence in contrast to the previous technologies, CDE-focused data security measures can be implemented such that they provide a greater threat coverage than virtual desktop or enterprise browsers as explained here.

From a developer experience perspective, the secure CDE platform provides developers access to a CDE via a web-based IDE (via a local IDE as well, though it impacts the security model) and to web applications via a secure browser embedded in the platform. The web-based IDE is a web application on its own and renders natively in the browser on the developer’s device.

Hence a secure CDE platform provides optimal developer experience and does not compromise productivity, in contrast to usability issues commonly experienced by developers using virtual desktops (as reported by companies trying to solve them). Since developers spend the major part of their time in the IDE and use workflow applications for specific and less frequent operations, delivering a development environment with optimal performance fosters developer experience overall.

In conclusion, we think that the future of Cloud Development Environments is driven by productivity-enabling, transparent security that doubly benefits organizations and developers. Secure CDE platforms can provide developers with a flexible coding environment available anywhere so that they can focus on what they like, where they want, without the burden of security measures in an era where they form the largest attack surface in the application development process

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

A Brief History of DevOps and the Link to Cloud Development Environments

Laurent Balmelli, PhD — Thu, 01 Feb 2024 10:52:23 +0000

In this article, I use the famous DevOps HandBook to regurgitate a concise history of DevOps, add my personal experience and opinion, and establish a link to Cloud Development Environments (CDEs), i.e. the practice of providing access to, and running, development environments online as a service for developers.

A Few Good Books on DevOps’ History

The history of DevOps is definitely worth reading in a few good books about it. On that topic, “The Phoenix Project”, self-characterized as “a novel of IT and DevOps”, is often mentioned as a must-read. Yet for practitioners like myself a more hands-on one is “The DevOps Handbook” (which shares Kim as author in addition to Debois, Willis, and Humble) that recounts some of the watershed moments around the evolution of software engineering and provides good references around implementation. This book actually describes how to replicate the transformation explained in the Phoenix Project and provides case studies.

In this brief article, I will use my notes on this great book to regurgitate a concise history of DevOps, add my personal experience and opinion, and establish a link to Cloud Development Environments (CDEs), i.e. the practice of providing access to, and running, development environments online as a service for developers.

In particular I explain how the use of CDEs concludes the effort of bringing DevOps “fully online”. Explaining the benefits of this shift in development practices, plus a few personal notes is my main contribution in this brief article. Before clarifying the link between DevOps and CDEs, let’s first dig into the chain of events and technical contributions that led to today’s main methodology to deliver software.

The Agile Manifesto

The creation of the Agile Manifesto in 2001 sets forth values and principles as a response to more cumbersome software development methodologies like Waterfall and the Rational Unified Process (RUP).

One of the manifesto's core principles emphasizes the importance of delivering working software frequently, ranging from a few weeks to a couple of months, with a preference for shorter timescales. The Agile movement's influence expanded in 2008 during the Agile Conference in Toronto, where Andrew Shafer suggested applying Agile principles to IT infrastructure rather than just to the application code.

This idea was further propelled by a 2009 presentation at the Velocity Conference, where a paper from Flickr demonstrated the impressive feat of "10 deployments a day" using Dev and Ops collaboration. Inspired by these developments, Patrick Debois organized the first DevOps Days in Belgium, effectively coining the term "DevOps." This marked a significant milestone in the evolution of software development and operational practices, blending Agile's swift adaptability with a more inclusive approach to the entire IT infrastructure.

The Three Ways of DevOps and the Principles of Flow

All the concepts that I discussed so far are today incarnated into the “Three Ways of DevOps”, i.e. the foundational principles that guide the practices and processes in DevOps. In brief, these principles focus on:

improving the flow of work (First Way), i.e the elimination of bottlenecks, reduction of batch sizes, and acceleration of workflow from development to production,
amplifying feedback loops (Second Way), i.e. quickly and accurately collect information about any issues or inefficiencies in the system, and
fostering a culture of continuous learning and experimentation (Third Way), i.e encourage a culture of continuous learning and experimentation.

Following the leads from Lean Manufacturing and Agile, it is easy to understand what led to the definition of the above three principles. I delve more deeply into each of these principles in this conference presentation. For the current discussion though, i.e. how DevOps history leads to Cloud Development Environments, we just need to look at the First Way, the principle of flow, to understand the causative link.

Chapter 9 of the DevOps Handbook explains that the technologies of version control and containerization are central to implementing DevOps flows and establishing a reliable and consistent development process.

At the center of enabling the flow is the practice of incorporating all production artifacts into version control to serve as a single source of truth. This enables the recreation of the entire production environment in a repeatable and documented fashion. It ensures that production-like, code development environments can be automatically generated, entirely self-serviced without requiring manual intervention from Operations.

The significance of this approach becomes evident at release time, which is often the first time where an application's behavior is observed in a production-like setting, complete with realistic load and production data sets. To reduce the likelihood of issues, developers are encouraged to operate production-like environments on their workstations, created on-demand and self-serviced through mechanisms such as virtual images or containers, utilizing tools like Vagrant or Docker. Putting these environments under version control allows for the entire pre-production and build processes to be recreated. Note that, production-like environments really refer to environments that, in addition to having the same infrastructure and application configuration as the real production environments, also contain additional applications and layers necessary for development.

Figure: Developers are encouraged to operate production-like environments (Docker icon) on their workstations using mechanisms such as virtual images or containers to reduce the likelihood of execution issues in production.

From Developer Workstations to a CDE Platform

The notion of self-service is already emphasized in the DevOps Handbook as a key enabler to the principle of flow. Using 2016 technology, this is realized by downloading environments to the developers’ workstation from a registry (such as DockerHub) that provides pre-configured, production-like environments as files (dubbed as infrastructure-as-code). Docker is often a tool to implement this function.

Starting from this operation, developers create an application in effect as follows: (1) they access and copy files with development environment information to their machines, (2) add source code to it in the local storage and (3) build the application locally using their workstation computing resources. This is illustrated in the left part of the figure below.

Once the application works correctly, the source code is sent (“pushed) to a central code repository and the application is built and deployed online, i.e. using Cloud-based resources and applications such as CI/CD pipelines.

The three development steps listed above are in effect the only operations, in addition to the authoring of source code using an IDE, that are “local”, i.e. they use workstations’ physical storage and computing resources. All the rest of the DevOps operations are performed using web-based applications and used as-a-service by developers and operators (even when these applications are self-hosted by the organization.). The basic goal of Cloud Development Environments is to m_ove these development steps online as well_.

To do that, CDE platforms in essence provide the following basic services, illustrated in the right part of the figure below. :

manage development environments online, as containers or virtual machines such that developers can access them fully built and configured, substituting step (1) above; then
provide a mechanism for authoring source code online, i.e. inside the development environment using an IDE or a terminal, substituting step (2); and finally
_provide a way to execute build commands _inside the development environment (via the IDE or terminal), substituting step (3).

Figure: (left) The classic development data flow requires the use of the local workstation resources. (right) The cloud development data flow replaced local storage and computing while keeping a similar developer experience. On each side, operations are (1) accessing environment information, (2) adding code, and (3) building the application.

Note that, the replacement of step (2) can be done in several ways: for example the IDE can be browser-based (aka a Cloud IDE), or a locally installed IDE can implement a way to remotely author the code in the remote environment. It is also possible to use a console text editor via a terminal such as vim.

I cannot conclude this discussion without mentioning that, often multiple containerized environments are used for testing on the workstation, in particular in combination with the main containerized development environment. Hence cloud IDE platforms need to reproduce the capability to run containerized environments inside the Cloud Development Environment (itself a containerized environment). If this recursive process becomes a bit complicated to grasp, don’t worry, we reached the end of the discussion and we can move to the conclusion.

What Comes Out of Using Cloud Development Environments in DevOps

A good way to conclude this discussion is to summarize the benefits of moving development environments from the developers’ workstation online using CDEs. As a result, the use for CDEs for DevOps lead the following advantages:

Streamlined Workflow: CDEs enhance the workflow by removing data from the developer's workstation, decoupling the hardware from the development process. This ensures that the development environment is consistent and not limited by local hardware constraints.
Environment Definition: With CDEs, version control becomes more robust as it can uniformize not only the environment definition but all the tools attached to the workflow, leading to a standardized development process across the organization and consistency across teams.
Centralized Environments: The self-service aspect is improved by centralizing the production, maintenance, and evolution of environments based on distributed development activities. This allows developers to quickly access and manage their environments without the need for Operations' manual work.
Asset Utilization: Migrating the consumption of computing resources from local hardware to centralized and shared cloud resources not only lightens the load on local machines but also leads to more efficient use of organizational resources and potential cost savings. You can test economic assumptions with this online calculator.
Improved Collaboration: Ubiquitous access to development environments, secured by embedded security measures in the access mechanisms, allows organizations to cater to a diverse group of developers, including internal, external, and temporary workers, fostering collaboration across various teams and geographies.
Scalability and Flexibility: CDEs offer scalable cloud resources that can be adjusted to project demands, facilitating the management of multiple containerized environments for testing and development, thus supporting the distributed nature of modern software development teams.
Enhanced Security and Observability: Centralizing development environments in the Cloud not only improves security (more about secure CDEs) but also provides immediate observability due to their online nature, allowing for real-time monitoring and management of development activities.

By integrating these aspects, CDEs become a solution for modern, im particular cloud-native software development, and aligns with the principles of DevOps to improve flow, but also feedback, and continuous learning. I will discuss in more detail contributions of CDEs across all three ways of DevOps in an upcoming article. In the meantime, you're welcome to share your feedback with me.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

The Strong Frog Practice: Make DevSecOps Part of Cloud-Based Development

Laurent Balmelli, PhD — Thu, 25 Jan 2024 16:21:52 +0000

Secure Cloud Development Environments are pivotal in DevSecOps for the ability to manage development environments in a centralized manner, ensuring uniform security policies, compliance and regulatory adherence across all projects. While Strong Network’s platform manages coding environments, the implementation of policies is provided by JFrog. We explain how this is achieved in this article.

Author: Laurent Balmelli & Fernando Monje

Why Strong Network’s Platform Integrates with JFrog

Secure Cloud Development Environment (CDEs) platforms like Strong Network’s are pivotal in DevSecOps for the ability to manage development environments in a centralized manner, ensuring uniform security policies, compliance and regulatory adherence across all projects. While Strong Network’s platform enables the definition and management of coding environments, the implementation and execution of these policies is the task of a platform like the one provided by JFrog. The wealth of Jfrog’s platform services is pictured in the figure below.

Figure Strong Nework’s platform integrates with Jfrog’s platform services to make them available directly and transparently in secure Cloud Development Environments.

The joint use of Strong Network and JFrog’s platforms streamlines security management and auditing, providing a robust framework for consistent security practices. This setup automates key security tasks like vulnerability scanning and compliance checks, embedding security into every stage of the development lifecycle. This approach aligns with the 'shift-left' philosophy, where security is a foundational element from the project's inception.

Secure CDEs also offer scalability and flexibility, crucial for adapting to the evolving demands of software development without compromising security. They provide development teams the agility and resources needed in a controlled environment. Jfrog’s platform service makes sure that scaling occurs in a controlled manner.

Finally, the joint platform setting discussed here is a key enabler for secure remote collaboration, a necessity in today’s distributed workforce. It ensures that teams, irrespective of their location, can collaborate effectively while getting access to strong DevSecOps practices in a way that keeps the organization secure: both from the perspective of infrastructure and resource access control as well as the compliance and security of the code produced through the collaboration.

Let’s explore the features delivered when associating the two strongest platforms in secure code development available today and how they satisfy both perspectives above.

Prerequisites and Platform Sign-In

To successfully integrate the Strong Network platform with JFrog's platform, there are a few prerequisites that must be met in order to leverage their combined strengths.

First, your organization must have deployed the self-hosted Strong Network platform and have access to the JFrog platform, either in a SaaS or a self-hosted solution. Administrative access is needed to both platforms to perform necessary initial set-up configurations.

From the Strong Network platform perspective, the Jfrog platform is integrated as a third party application as shown in the next figure, very much like other applications such as GitHub, Gitlab or BitBucket. The goal is this integration is to leverage the services in a transparent manner within the Cloud Development Environments (CDEs).

This whole of the integration is only done through administrative settings of Strong Network’s platform, so that the availability of JFrog’s platform becomes visible in the Integration tab in the user’s profile (figure below). This allows users to sign into the JFrog platform from Strong Network’s.

Figure: Users log in to the JFrog platform once from their profile and access all services from their CDEs without the need to provide any further authentication information.

Once signed in, JFrog CLI becomes automatically available in the user’s CDEs. In turn, the integration brings transparent access to every user to Jfrog services from any CDEs. This also allows for the management of user permissions to the services and the establishment of security protocols.

In cases where the JFrog platform is being used in a SaaS model, a specific custom OAuth template provided by JFrog is necessary. The custom OAuth template must be set up and configured in accordance with JFrog's guidelines to ensure compatibility and security.

DevSecOps Integration in Cloud Development Workflow

Let’s explore the available features once a user is signed-in in the following paragraphs.

Automated Platform Integration With All CDEs

One of the standout features of integrating the Strong Network platform with JFrog is the automated integration of JFrog’s CLI into any newly created CDE during the development process, when building an application on the workspace. This means that whenever a new CDE is created, the JFrog CLI and services are automatically installed and authenticated within the workspace. This seamless integration streamlines the development workflow, as developers can immediately start using JFrog's services without the need for manual setup or authentication. It enhances efficiency and ensures a consistent environment across all CDEs.

Figure: Whenever a new CDE is created, the user can verify that the JFrog CLI and services are automatically installed and authenticated within the workspace.

Automated Scanning of Container Images with JFrog XRay

The integration also brings the advantage of automated scanning of container images during workspace creation using JFrog XRay. This feature is particularly crucial for maintaining high standards of security and compliance regarding the development infrastructure. As soon as a workspace is created, the container image is automatically scanned, and a summary of any vulnerabilities found is displayed (see the next figure). This immediate feedback allows developers to identify and address security concerns attached to the infrastructure and tools used for development. This integration is possible because Strong Network’s platform embeds the management of workspaces’ containers as platform resources. Hence, the integration with JFrog allows the automated enforcement of infrastructure security best-practices in the development process.

Figure: Because Strong Network’s platform embeds the management of workspace containers, the integration allows the automated enforcement of infrastructure security best-practices in the development process.

Secure Artifactory Access from User Workspaces

Another significant feature is the automated and secure access to JFrog Artifactory from the user’s workspace. This is achieved without storing JFrog credentials in the workspace or exposing them to the developer. This approach not only simplifies the process of accessing JFrog Artifactory but also upholds stringent security protocols by ensuring that sensitive credentials are never compromised. Developers can seamlessly interact with Artifactory, retrieving and deploying whitelisted, compliant dependencies to ensure code security as needed, while the platform manages the underlying security and authentication mechanisms.

Figure: The transparent and automated integration of JFrog Artifactory in the build process allows the production of secure and compliant code through the use of pre-approved, sanitized software libraries.

JFrog VSCode Extension Pre-installed and Authenticated

Lastly, the integration ensures that the JFrog Visual Studio Code (VSCode) extension is already installed and authenticated in each workspace from its inception. This eliminates the need for developers to manually set up the extension, allowing them to immediately leverage its functionalities for enhanced productivity. The pre-authentication aspect of the extension ensures that developers can start using JFrog’s services within VSCode right away, further enhancing the overall user experience.

Figure: JFrog Visual Studio Code (VSCode) extension is installed and authenticated in each workspace from its inception.

In Conclusion: Deploy a Secure Development Infrastructure That Delivers Secure Code

The integration of Strong Network's platform with JFrog's platform services represents a significant business value for security-minded organizations. This collaboration, aptly named "The Strong Frog Practice," is a demonstration of how combining leading technologies integrates DevSecOps best-practices across the development process with the use of secure cloud-based development environments. In other words, best-practices are smoothly assimilated, avoiding interferences with the developer experience. In all, the integration brings together productivity and security, both from the infrastructure and software aspect from a unified perspective.

Through this integration, developers gain the benefit of automated processes, such as the inclusion of JFrog’s CLI in every new secure CDE and the automatic scanning of container images with JFrog XRay. These features not only bolster security but also enhance efficiency, allowing developers to focus more on coding and less on setup and security concerns.

The seamless and secure access to JFrog Artifactory directly from user workspaces, without exposing sensitive credentials, is a game-changer in managing dependencies and ensuring code security. Additionally, the pre-installed and authenticated JFrog VSCode extension in each workspace further streamlines the set-up process, ensuring a smooth and efficient development workflow.

This powerful platform alliance underscores a commitment to elevating DevSecOps practices, where security is not an afterthought but an integral and automated part of the development process. "The Strong Frog Practice" is a shining example of how the right technological partnerships can create an environment that is not only secure and compliant but also agile and developer-friendly, catering to the dynamic needs of modern software development.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

How Zero-Trust Architecture Design Enables Global Business Processes

Laurent Balmelli, PhD — Thu, 25 Jan 2024 14:39:15 +0000

In this article, we address the security challenges posed by globalization in code development and data science processes, discussing the implementation of dynamic, zero-trust security architectures and how they can protect intellectual property in distributed work environments.

Enforcing dynamic security policies when running a distributed coding and data science process

All the technologies and application scenarios discussed here are supported by the strong.network platform for enterprises. Contact us at hello@strong.network for more information. In this article, I explain some of the implementation choices that we took to implement zero-trust principles that

Figure - Photo by the blowup on Unsplash

A zero-trust architecture implements security principles that protect data throughout the business operations of a global company. Jointly, the use of an information security standard such as ISO 27001 is a key source to choose security governance policies whose target is shaped by the reach and the aim of the process. I discuss these security principles here and how to tackle the challenges of implementing them.

Process Globalization at Scale

Over the last 10 years, the forces of globalization have continually reshaped the business processes of corporations across all types of operations. In the case of development, companies have established centers of excellence, remote outposts and offshore teams to optimize budget allocation across their products and services. These companies have also increased technical collaborations with their peers and smaller partners, often to alleviate a skills shortage and boost their capability to innovate.

What is fairly new is that their modus operandi is now being replicated by smaller companies, i.e. Small and Medium Enterprises (SMEs), thanks to the rise of platforms offering freelancers such as Upwork, Toptal, or simply through workforce outsourcing companies. In sum, the upfront cost to unbundle a product development process across a global team has become low enough such that SMEs can now benefit from the new global data flows (see Mc Kinsey’s, Digital globalization: The new era of global flows). Process globalization can now be done at scale, i.e. across all company sizes.

In many of the global development processes today such as the ones mentioned above, computer source code and supporting data are the main IP assets consumed and generated.

Figure - Photo by John Thomas on Unsplash

Sometimes, the central asset circulated across teams and locations is purely data and the output is an analysis often taking the form of a trained machine learning model for Artificial Intelligence (AI) applications.

The ability to execute such a transaction epitomizes the capability brought by innovation tournament platforms for AI. It consists in pairing a company with an important dataset to the Crowd, i.e. a seemingly unorganized talent pool willing to solve a technical challenge over a short period of time, let’s say two weeks, in exchange for a payday often north of USD 10'000. Platforms such as Kaggle and others are part of these brokers enabling such ephemeral collaborations.

In all the scenarios presented so far, a nagging challenge for companies of any size -and often a significant cost for companies with outsourcing experience- is securing the business processes that support them.

The security challenge at stake here is mainly the control and protection of company IP assets such as source code and data throughout the process. This is ideally done via the implementation of an IT infrastructure such secure Cloud Development Environment (secure CDEs) that securely enables remote work locations, accommodates temporary workers cost-efficiently, and prevents data leaks during ephemeral collaborations, whether between companies or during innovation tournaments. Before we move on to the solution, note that I discuss this security challenge in this other article as well “The Place of Information Security in the Age of Accelerations”.

The Demise of the IT Perimeter

The classical way for companies to protect IP assets such as source code and data is to store them on servers in the Cloud or behind a bulwark referred to as the corporate IT perimeter. This way, machines within their premises are trusted to access these assets, whereas the ones outside are not.

The IT perimeter is typically delimited by network elements such as firewalls and routers. Hence once behind these elements, authentication and authorization requirements for hosts are lesser than when they are outside.

The changes in business process reach as explained previously are forcing companies to cater data access to hosts both inside and outside the IT perimeter. The use of Virtual Private Network (VPN) connections is common to provide access to external hosts. However, a fundamental issue is the trust allotted to hosts inside the network, whether connected physically or through VPN. As a result, a single compromised host can lead to an entire network being exposed through a type of attack known as lateral movement.

Furthermore, the increased use of cloud resources blurs the distinction between inside and outside hosts.

Figure - Photo by Dave Lowe on Unsplash

In contrast, a zero-trust architecture is built on the premise that no host is allotted any default amount of trust and all hosts incur thorough verification. At its core it removes to a host the distinction between being inside or outside.

Furthermore it assumes the network is compromised and that insider threats are active. Such an architecture is based on a set of cyber security design principles that implements a strategy which focuses on protecting resources, i.e. the company’s IP assets, as opposed to the network perimeter. Such a focus is actually embraced by best practices and guidelines such as the ones described in information security standards such as ISO 27001 and others in the ISO 27k series. Guidelines span from management practices to security policies towards core business process entities such as users, resources and applications.

In short, the zero-trust approach prescribes design principles to create an IT infrastructure that focuses on resource protection by narrowing its scope in terms of access control (referred to as segmentation) and enabling continuous security assessment. In effect, the key benefit of a zero trust approach is the ability for a company to implement granular and dynamic security policies acting on a set of entities such as users, resources and applications.

How to Design a Process Architecture using Zero-Trust Principles

I discuss here the basic elements of a zero-trust architecture and how they assemble into a supporting IT infrastructure through the application of design principles. A thorough explanation is available in the NIST Special Publication 800–207 specification document.

Part of the design process of a zero-trust architecture is first to identify the set of entities that plays a role in accessing resources. In that respect, it is best to start from the business needs, and even in some cases from the nature of the business process to support. A typical scenario is a set of users who through the use of applications get access to resources.

For example, in the case of a development process, users access workspaces (typically Integrated Development Environment, i.e. IDE) with access to resources such as code repositories, data buckets and external services to do their job, i.e. develop code and practice data science. Any of these resources can be deployed on premise or in the Cloud.

The next step is to understand what type of security is necessary for the resources and express them as policies acting on the entities identified at the previous step. Here again, if preserving information security during operations is the goal, a standard such as ISO 27001 is a good source of inspiration. Depending on the industry, specific constraints attached to regulations are also considered.

Because policies are based on attributes that are continuously assessed during operations, the last piece of this mechanism is the identification of a set of security functions to evaluate these attributes. These are your typical security functions such as Identification and Access Management (IAM), Data Security, Endpoint Security, Security Analytics and possibly others depending on the nature of the process.

Back to the case of the development process mentioned above, an example of policy could be:

Every confidential or regulated resource shall be accessed from a workspace whose networking and clipboard functions are monitored. In case the user is mobile, networking and clipboard functions are blocked

In addition to taking measures to protect sensitive company data, the above statement also covers a series of requirements from ISO 27001, namely A.12.4.1 Event Logging and A.6.2.1 Mobile Device Policy. Functions that are used to assess the status of this policy are the IAM mechanism -to authenticate and verify that the user has access to the resource-, Security Analytics -to determine when the user is mobile-, and a Data Loss Prevention (DLP) mechanism as endpoint security function.

Finally, the last piece necessary to the architecture is a means to define and enforce security policies during operations. The NIST specification defines Policy Decision Points and Policy Enforcement Points that connect security functions to the process entities.

The architecture model attached to the above example is represented in the next figure. Yellow circles represent policies and red triangles represent security functions. The data access flow is represented by the arrows.

Once component definitions are in place, design principles are applied using a stepwise, iterative methodology. The first step is often the localization of all predefined entities, i e. users, resources, applications, across the company (or in the Cloud) to which policies should apply.

Hence practitioners will start with the identification of all data sources that require protection. Then, the same task is applied to applications that are used to access data. Generally all users are considered in this process.

I gave a few examples of security functions in the previous text. The choice for these functions depends on the nature of the process and the security goals. Most importantly, these functions are used to assess the value of some of the attributes attached to entities and used to define security policies.

In the policy example given previously, one of the user’s characteristics is whether she is mobile or not. The assessment is likely based on the recognition of her current IP address. Based on this result and the confidentiality attribute of the data source, the DLP function will be configured to abide by the policy. This example fits in the scope of a secure development process, where users can be located anywhere yet source code and data have to be protected at all times, illustrated in the figure below.

Note that, I just went briefly over a few of the design steps to follow when applying zero-trust principles. A more complete yet concise explanation is in the PWC article Zero Trust architecture: a paradigm shift in cybersecurity and privacy.

Challenges When Implementing Zero-Trust Architectures

It is likely that companies might encounter a few challenges when implementing zero-trust architectures. I discussed some of the typical ones below and how to tackle them. The third and last challenge in the list below, i.e. dealing with architecture scope, is definitively the one that deserves the most attention.

*User Experience * At first, it is likely that running the zero-trust process will require users to perform more authentication and authorization activities than before. This effect can be easily mitigated by making these activities transparent thanks to technologies that enable the use of a single identity provider and a single sign-on mechanism. Open standards such as OAuth, OpenID Connect and SAML enable the implementation of a mostly transparent authentication and authorization mechanism. In addition, the automated management of private and public key pairs help manage identities across connected tools, e.g. external services, code repositories, data bucket providers, etc. on behalf of users.

Interoperability Considerations of Zero-Trust Products The mitigation of interoperability issues is highly dependent on the vendor’s solution. It is important to verify that solutions are based on open standards. As I explained previously, a good start for assessing the goals of a zero-trust architecture is the business process that requires data security. The needs for interoperability stem from that business process as well.

Architecture Scope An important design principle when building a zero-trust architecture is the definition of the scope. Finding the right scope for (access control) security comes through the application of microsegmentation. This is achieved in multiple ways.

For starters, microsegmentation is a general security principle to reduce the attack surface by limiting access to resources on networks. For example, by narrowing the scope of the zero-trust architecture to a single (type of) process, for example the development process, resources only contributing to this process can be isolated from non-participating users or applications. In turn, this allows the isolation of data access flows only between the process participants. This can be implemented by providing and managing credentials that are only valid in the scope of the process at stake. This is microsegmentation at the business process level.

Then, microsegmentation can be used to put a wrapper around the access control to resources. For example, practitioners might define that resources can only be accessed through the SSH protocol, with automatically managed cryptographic keys. This is microsegmentation at the application protocol level (using the terminology based on the OSI model.)

Finally, a connection to a repository is only allowed for whitelisted domains (i.e. IP addresses) or even a specific repository designated by name. This is microsegmentation at the network level, i.e. the whitelisting of specific network destinations, i.e. domain names. The three steps of microsegmentation are represented in the figure below.

In general, the goal of microsegmentation is to give practitioners the ability to set granular security policies that span multiple levels of abstractions, as the ones exemplified above. This greatly reduces the attack surface and allows for easy and accurate auditing of the process operations.

Protecting Resources Using Zero-Trust Architectures

In conclusion, the application of zero-trust architecture design principles is an enabler to deploy dynamic security policies, focusing on protecting resources as opposed to surveilling the network. By breaking free from its IT perimeter, a company can radically improve its security posture in relation to its IP assets, in particular when deploying its business processes globally. It allows the company to support business scenarios such as the ones introduced at the beginning of this discussion, i.e. outsourcing of business activities, remote teams, collaboration settings, crowd-based innovation tournaments, etc.

Security policies are part of the company’s information security program and are likely derived from industry-specific regulations, but are also based on information security standards. The challenge of efficiently deploying a zero-trust architecture partly resides in the ability to focus on a manageable scope. Starting from the business process is likely the more sensible way to proceed. Then microsegmentation is applied such that the attack surface of entities within this context is reduced to a minimum. This, in turn, enables the definition of granular, continuously-assessed security policies that capture the diverse conditions reflected in complex and global business scenarios.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

How to Onboard and Protect Remote Teams with Secure Cloud Environments

Laurent Balmelli, PhD — Thu, 25 Jan 2024 14:10:19 +0000

How Secure Cloud Development Addresses the Challenge of Working Securely with Remote Teams

The landscape of software development is constantly changing, and secure Cloud Development Environments (CDEs) have brought about a remarkable transformation in secure project management and execution when working with geographically dispersed teams using a remote development platform.

Adding security to CDEs is extremely pertinent for organizations dealing with remote software development. These firms often struggle with issues such as remote team onboarding, maintaining uniformity in processes, and safeguarding security. Secure CDEs effectively tackle these issues, leading to a development process that's not only more streamlined and flexible but also more cost-effective by removing the need to send laptops secured against data leaks (I discuss this problem here).

In this discussion, I am going to delve into how secure CDEs are redefining the remote development paradigm, enhancing team collaboration, ensuring process uniformity and security, cutting costs, and offering real-time analytics and monitoring. Connected to this topic, I previously wrote in Dzone about the organizational aspects of building a liquid workforce of developers. In the present one, I am looking in more detail at the technical side of implementing a secure process for remote software development.

Here are five aspects of operating a remote development team that benefit from the use of secure Cloud Development Environments yielding an efficient remote development platform.

1. Enhanced Collaboration and Accessibility for Remote Teams

The cornerstone of any successful outsourcing endeavor is effective collaboration. Platforms to manage secure CDEs redefine this aspect by offering a mechanism where geographically dispersed teams can work together easily.

Because CDEs are available online, the ability to access a unified development environment, e.g. using pre-defined templates, from anywhere in the world ensures that team members are always on the same page, regardless of their physical location.

This global accessibility not only makes it easier to integrate diverse skill sets into the development process but also ensures that projects can progress around the clock, leveraging different time zones. This set-up is ideal for a BYOD strategy. You can actually compare the cost of a BYOD strategy against sending secure laptops with this online calculator tool.

Figure: Coding environments as CDEs are available online which ensures access to teams regardless of their physical location.

Onboarding Remote Teams on Standardized Development Environments

The agility of CDEs is a boon for organizations dealing with fluctuating project demands (which connects to the liquid workforce concept that I discussed previously). The cloud-based nature of CDEs means that onboarding a new team member is as simple as providing access to the platform, significantly reducing the lead time and allowing for rapid scaling as per project requirements.

In addition, CDEs serve as a single source of truth for development teams. By standardizing the development environments using templates, they ensure that every member, employed by the outsourcing firm, works with a consistent set of tools and configurations, in accordance with the customer project. This uniformity plays a crucial role in minimizing compatibility issues and streamlining the development process. It ensures that the code developed is consistent and maintainable, regardless of the number of hands it passes through, which is a common scenario in remote development.

Security and IP Protection With Remote Teams

One of the primary concerns in handling development through remote teams is the security of code and intellectual property. Secure CDEs precisely address this concern by providing robust security features such as controlled data access, as well as data loss prevention mechanisms that prevent data leaks.

The centralized nature of secure CDEs means that sensitive data and intellectual property are stored securely in the cloud, rather than on individual devices, reducing the risk of data breaches. To fully realize data protection, the remote development platform needs to provide security against data leaks for the entire developer workflow. In contrast, CDE platforms providers such as Codespaces, Google Workstation, Coder, Gitpod do not focus on preventing data exfiltration. In other words, it is trivial to exfiltrate data from these platforms since their focus is mainly productivity. In this other article, I explain how and why a secure CDE platform need to take a “workflow” perspective to protect data while working with remote teams. This is illustrated in the figure below.

Figure: Secure CDEs in particular address this by providing robust security features like controlled data and web application access, and data loss prevention mechanisms that prevent data exfiltration.

Cost-Effective Infrastructure With Secure Cloud Environments

CDEs eliminate the need for heavy investment in hardware and software licenses. With cloud-based development environments, outsourcing companies can opt for scalable resource consumption models that are more economical and flexible. This is particularly beneficial for small to medium-sized firms that can now compete with larger organizations by leveraging the power of CDEs without the burden of significant upfront costs.

Here again, using an online calculator, you can assess potential cost reductions in infrastructure expenses (corporate laptop, endpoint security, etc) using secure CDEs as opposed to deploying hardware devices.

Figure: The flexibility of Cloud resource consumption allows organizations to control their capital expenditures when working with remote teams.

Analytic Capabilities of Remote Development Platforms

From a risk control perspective, monitoring the security and performance is an important aspect when onboarding and working with remote teams using secure CDEs.

Having access to comprehensive monitoring and analytic capabilities is an essential capability for a remote development platform. Organizations can leverage these features to gain insights into team performance, resource utilization, and process efficiency. This data is invaluable for making informed decisions, optimizing workflows, and continuously improving the service quality offered to clients.

Figure: Comprehensive monitoring and analytics capabilities allow organizations to gain insights into team performance, resource utilization, and process efficiency.

Best-Practices in Secure Remote Development

In conclusion, secure Cloud Development Environments signify a transformative change in the realm of secure remote team onboarding and remote software development. These environments not only streamline collaboration but also bring standardization and heightened security to a remote development platform.

The most important aspect when onboarding remote development teams is to provide an adequate security and performance mechanism for process governance. For that, only secure CDEs can deliver a reliable secure environment since this requires taking a workflow perspective to securing data.

To fulfill this goal, I explained that secure CDEs precisely address this need by providing robust security features like controlled data, secured web application access, as well as data loss prevention mechanisms that prevent data exfiltration across the IDE and the other applications used by the developer during daily tasks, such as code repository applications, CD/CI applications, etc. More information about this particular technical aspect of secure CDE platforms can be found here.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

The Trusted Liquid Workforce

Laurent Balmelli, PhD — Thu, 25 Jan 2024 13:33:54 +0000

In this revisited version of my 2022 article on the subject of managing a remote development workforce, I discuss strategies to securely incorporate a 'liquid workforce', exemplifying the use of secure Cloud Development Environments to implement digital trust while providing flexibility to developers when working remotely.

Remote Developers Are Part of the Liquid Workforce

The concept of a liquid workforce (see Forbes, Banco Santander, etc) is mostly about that, a part of the workforce is not permanent and can be adapted to dynamic market conditions. In short, in a liquid workforce a proportion of the staff is made of freelancers, contractors and other non permanent employees. Today, it is reported that about 20% of an IT workforce, including software developers, is liquid in a significant part of the Fortune 500 companies.

Figure: It is reported that about 20% of an IT workforce is liquid in a significant part of the Fortune 500 companies.

Actually, working as a freelancer has been a common practice in the media and entertainment industry for a long time. This model is catching up today in many other industries. From the gig economy, to the increasing sentiment stemming from Gen-Y and Gen-Z’ers that employment should be flexible, multiple catalysts are contributing to the idea that the liquid approach is likely to continue eroding the classic workforce.

For corporations, this is actually a “perfect storm” that can be put to good use to adapt to increasingly faster changing market conditions. Indeed, the acceleration of the pace of technology and the issue for corporations to maintain a skill set that enables them to be competitive can be tackled by embracing this concept.

Remote Software Development in Startups and SMEs

In practice today, more SMEs and startups actually outsourced parts or sometimes most of its software development workforce.

A key enabler to onboarding a liquid workforce is the democratization, in the world of application development and data science, of the use of only cloud-based infrastructure components (GitHub, GitLab, data buckets, etc) to manage source code and data. Expectedly, this opens to the possibility for (permanent and ephemeral) workforce’s members to work from anywhere because the corporate infrastructure is indeed, available anywhere. The use of Cloud Development Environments are part of this trend and provide a mechanism to onboard developers across the globe on pre-installed environments.

Younger companies are adopting new types of tools and infrastructure faster than corporations and can then be more flexible with regard to enabling remote data access. Therefore the rise of the liquid workforce is more likely to be a bottom-up initiative across the industry in terms of company size.

Figure: Cloud Development Environments provide a mechanism to onboard developers across the globe on pre-installed environments, connecting to online services.

In addition there are hundreds of companies situated in countries where labor cost and skill sets are combined advantageously that provide access to a liquid workforce.

Today, IT business process outsourcing and external application development are all together an USD 92 billion market. If you are openly eager to hire external help on LinkedIn, you will get contacted several times by boutique outsourcing partners, mostly from the Balkans or Asia. Consumers of these services really span the entire set of corporation sizes, across all industries.

I have talked to a dozen of these service companies and sadly, very few have a clear plan of how to effectively protect the data of their customers. Most protective mechanisms hover around legal paperwork. Albeit this approach might be comforting for large corporations, this is mostly a sham for any smaller business settings that cannot really afford to take legal action, let alone in an international context.

How to Secure Development When Using Remote Developers

Unsurprisingly digital trust has to catch up with the liquid IT phenomenon. In practice, there are three simple measures that companies of all sizes can put in place to infuse a good sense of security. Ease of adoption is directly dependent on how these measures can be delivered, i.e. cost-effectively and with a minimal impact on operations.

The number one measure is to automate and streamline the onboarding process. In the domain of code development and data science where the set of necessary software components to enable productivity is quite significant, this is a tricky issue. Hence a performant and economically efficient onboarding mechanism to bring on liquid contributors has to be put in place first. I mentioned the use of Cloud Development Environments as an enabler for that.

Once on board, the number two measure is to ensure continuous data protection. This is another thorny issue because of the lack of classic corporate IT perimeter. Yet, as I explained previously, the Cloud is an efficient medium to allow remote access. From a security perspective, public and private clouds, e.g. Google GCP, AWS and Azure have reached a level of security that keeps most small-time cybercriminals and script kiddies ashore. In effect, this has migrated the attack surface for hackers to the network’s edges. In other words, the danger around data leaks becomes mostly confined around data access points and the developer’s behavior at each endpoint of the network rather than a centralized Cloud storage problem. Here, Secure Cloud Development Environments are the key enabler for protecting data on “the edge” of the development process.

Figure: _Secure Cloud Development Environments are the key enabler to onboard a liquid workforce while securing data while in use by developers and when accessed globally_

Putting it simply, it used to be that your internal servers might be targeted. Now, with a Cloud-based IT infrastructure, it’s mostly your endpoints, i.e. the developers’ laptops that are prey. Indeed in practice it is much easier to steal a laptop than hacking Google. In addition, malicious employee activities, aka insider threats around intellectual property theft such as source code and data are now becoming one of the growing concerns for corporations. This seems to be an outcome of embracing a liquid workforce (too naively), i.e. liquidity seems to erode some employees’ ethics as well!

Finally the number three measure is setting up a continuous and adaptive audit system that enables the collection of security and compliance events across the entire Cloud-based infrastructure, including in particular its edges. Compliance with information security standards such an ISO 27001 (in particular the appendices) and SOC-2 is a starting point to set up a minimally sufficient protection program. As I mentioned above, technologies such as zero trust access control and data loss prevention, in particular cloud-delivered are some of the mechanisms that are contributing to enabling the secure liquid workforce. Because Secure Cloud Development Environments are accessed online, creating an audit trail is quite simple. Logs can be centrally collected with little effort and plugged in a SIEM tool.

Figure: Events can be collected from Secure Cloud Development Environments in real-time since they are running online.

How to Address Data Protection Challenges When Using Remote Developers

The shift towards a more flexible development workforce necessitates an innovative approach to digital trust to onboard remote developers securely. Companies can bolster security and facilitate this transition by implementing three key measures: (1) streamlining the onboarding process, (2) ensuring continuous data protection, and (3) establishing a robust audit system.

First, leveraging the trend of coding online using Cloud Development Environments simplifies the complex onboarding process for developers and data scientists, making it economically viable and efficient. You can learn more about the way to onboard remote developers in this 2023 DevOpPro Europe presentation. This approach is crucial for seamlessly integrating developers into the workflow.

Second, the transition to cloud-based IT infrastructure has shifted the focus to securing data at access points and monitoring endpoint behaviors, as cloud platforms like GCP, AWS, and Azure already offer strong defenses against common cyber threats. Here, secure Cloud Development Environments are instrumental in safeguarding remote data on the network's edge, addressing the nuanced challenges presented by a dispersed workforce.

Finally, as organizations navigate the complexities of integrating securely remote developers, these measures offer a roadmap to securing digital assets while accommodating the needs and dynamics of modern IT practices. The shift towards cloud-based solutions and the strategic implementation of security measures underscore the evolution of digital trust in tandem with the liquid IT phenomenon, ensuring that productivity, security, and compliance can be balanced.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

The Need for Secure Cloud Development Environments

Laurent Balmelli, PhD — Thu, 25 Jan 2024 11:44:15 +0000

In this brief article we review the benefits of implementing such a migration using secure CDEs, in the context of a diverse, partly in-shore, near-short and off-shore development workforce.

Secure CDEs: Addressing Both Productivity and Security Concerns

The use of Cloud Development Environments (CDEs) allows the migration of coding environments online. Solutions range from using a self-hosted platform or a hosted service. In particular, the advantage of using CDEs with data security, i.e. secure Cloud Development Environments provide the dual benefits of enabling simultaneously productivity and security.

Examples given in this article are based on the CDE platform proposed by Strong Network. The implementation of CDE platforms is still in its infancy and there is no clear consensus on what should be the standard functionalities.

The approach taken by Strong Network is to have a dual focus, i.e. leverage CDEs from both a productivity and security standpoint. This is in contrast to using CDEs primarily as a source of efficiency. Embedding Security in CDEs allows for their deployment in Enterprise settings where security of data and infrastructure is a requirement.

Furthermore, it is possible to deliver via CDEs security mechanisms in a way that actually improves productivity as opposed to setting additional hurdles for developers. This is because these mechanisms aim at automating many of the manual security processes falling on developers in classic environments, for example the knowledge and handling of credentials.

The review of benefits in this article spans three axes of interest for organizations with structured processes. They also align with the main reasons for enterprise adoption of CEDs as suggested in Gartner's latest DevOps and Agile report. The reasons hover around benefits in centralized management, improved governance and opportunities for data security. We revisit these themes in detail below.

Figure - The positioning of Cloud Development Environments in Gartner's Technology Hype Curve, in comparison with Generative AI, is noteworthy. The emergence of this technology provides significant opportunities for CDE platform vendors to deliver innovative functionalities.

Streamline the Management Of Cloud Development Environments

Let's first consider a classic situation where developers each have the responsibility to install and manage their development environment on their devices. This is a manual, often time-consuming and local operation. In addition, jumping from one project to another will require duplicating the effort, in addition to potentially having to deal with interference between project’s specific resources.

Centralized Provisioning and Configuration

The above chore can be streamlined with a CDE managed online. Using an online service, the developer can select a development stack from a catalog and ask for a new environment to be built on demand, and in seconds. When accessing the platform, the developer can deal with any number of such environments and immediately start developing in any of them. This functionality is possible thanks to the definition of infrastructure as code, and lightweight virtualization. Both aspects are implemented with container technology.

Figure - The centralized management of Cloud Development Environments allows for remote accessibility and funnels all resource access through a single entry point.

Development Resources and Collaboration

Environment definition is only one of the needs when starting a new project. The CDE platform can also streamline access to resources, from code repositories to APIs, down to the access of secrets necessary to authenticate to cloud services.

Because using a CDE platform, coding environments are managed online, it opens to the possibility for new collaboration paradigms between developers. For example, as opposed to more punctual collaboration patterns such as providing feedback on submitted code via a code repository application (i.e. via a Pull-Request), more interactive patterns become available thanks to the immediacy of using an online platform.

Figure - Using peer-coding, two developers can type in the same environment, for example in order to collaboratively improve the code during a discussion via video-conference.

Some of the popular interactive patterns explored by vendors are peer-coding and the sharing of running applications for review.

Peer-coding is the ability to work on the same code at the same time by multiple developers. If you have used an online text editor such as Google Docs and shared it with another user for co-editing, peer-coding is the same approach applied to code development. This allows a user to edit someone else's code in her environment.

When running an application inside a CDE-based coding environment, it is possible to share the application with any user immediately. In a classic setting, this will require to pre-emptively deploy the application to another server, or share a local IP address for the local device, provided this is possible. This process can be automated with CDEs.

Cloud-Delivered Enterprise Security Using Secure CDEs

CDE are delivered using a platform that is typically self-hosted by the organization in a private cloud or hosted by an online provider. In both cases, functionalities delivered by these environments are available to the local devices used to access the service without any installation. This delivery method is sometimes referred to as Cloud-delivery. So far, we mentioned mostly functionality attached to productivity such as the management of environments, access to resources and collaborative features.

In the same manner, security features can also be Cloud-delivered yielding the additional benefit of realizing secure development practices with CDEs. From an economic perspective, this becomes a key benefit at enterprise-level because many of the security features managed using locally installing endpoint security software can be reimagined. It is our opinion that there's a great deal of innovation that can flourish by rethinking security using CDEs. This is why the Strong Network platform delivers data security as a core part of its functionalities.

Figure - Using secure Cloud Development Environments, the data accessed by developers can be protected using different mechanisms enabled based on context, for example based on the status of the developer in the organization.

Why Development Data Requires Security

Most if not all companies today deliver some of their shareholders value via the development of code, the generation and processing of data, and the creation of intellectual property likely through the leverage of both aforementioned resources. Hence, the protection of the data feeding the development workforce is paramount to run operations aligned with the shareholders’ strategy.

Unfortunately, the diversity and complexity from an infrastructure perspective of the development processes often makes the protection of data an afterthought. Even when anticipated, it is often a partial initiative based on opportunity-cost considerations.

In industries such as Banking and Insurance where regulations forbid any shortcuts, resorting to remote desktops and other heavy, productivity-impacting technology is often a parsimoniously-applied solution.

When the specter of regulation is not a primary concern, companies making the shortcuts may end up paying the price of a bad headline, in a collision-course with stakeholder interests. In 2023, security-minded company Okta leaked source code, along with many others such as CircleCI, Slack, etc.

The Types of Security Mechanisms

The opportunity using CDEs to deliver security via the Cloud make it efficient because, as mentioned previously, no installation is required, but also because:

mechanisms are independent from the device’s operating system;
they can be updated and monitored remotely;
they are independent from the user’s location;
they can be applied in an adaptive manner, for example based on the specific role and context of the user.

Regarding the type of security mechanisms that can be delivered, these are the typical ones:

Provide a centralized access to all the organization resources such that access can be monitored continuously.
Centralized access enables the organization to take control of all the credentials for these resources, i.e. in a way that users do not have direct access to them.
Implement data loss prevention measures via the applications used by developers such as the IDE (i.e. code editor), code repository applications, etc.
Enable real-time observability of the entire workforce, via the inspection of logs using a SIEM application.

Conclusion: Realize Secure Software Development Best-Practices with Secure CDEs

We explained that the use of secure cloud development environments jointly benefits both the productivity and the security of the development process.

From a productivity standpoint, there's a lot to gain from the centralized management opportunity that the use of a secure CDE platform provides.

From a security perspective, delivering security mechanisms via the Cloud brings a load of benefits that transcend the hardware used across the developers to participate in the development process. In other words, the virtualization of development environment delivery is an enabler to foster the efficiency of a series of maintenance and security operations that are performed locally. It brings security for software development and allows organizations to implement secure software development best-practices.

This also provides an opportunity to template process workflows in an effort to make both productivity and security more systematic, in addition to reducing the cost of managing a development workforce.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

How Sirius Technologies Reduces IT Costs by 46% With Secure Cloud Development Environments

Laurent Balmelli, PhD — Thu, 25 Jan 2024 11:27:38 +0000

The case study describes how Sirius Technologies reduced IT costs by 46% by adopting Strong Network's Secure Cloud Development Environments (CDEs). This strategy enhanced productivity and security, streamlined onboarding, and improved resource management, particularly for a distributed workforce and BYOD policy.

A Case Study About Secure Cloud Development Environments

A webinar and the transcript about this case study is available here.

This case study examines Sirius Technologies' deployment of a platform to manage Cloud Development Environments (CDEs), transitioning from local to online coding environments.

Focused on financial services and broader industry transformation, the study looks at Sirius Technologies’ use of Strong Network’s platform for secure Cloud Development Environments over two years and covers how the company addresses challenges in productivity, intellectual property management, and global collaboration with clients and partners.

The Mission of Sirius Technologies

Sirius Technologies is aiming to provide high-quality financial services to underserved markets and drive transformation in the BFSI sector, in particular by providing a platform to optimize the entire software development life cycle of Financial service. By adopting Better Finance principles, Sirius Technologies aims to broaden their client’s service reach, reduce costs, and ensure accessible financial services. Check our supplement at the end of this report to learn more about Sirius’ mission.

Here is how Jing Li, Sirius Technologies’ founder and CEO, explains his company’s motto and his own journey through digital personalized finance.

"We are committed to pushing the boundaries of what's achievable in financial technology through the strategic application of distributed architecture and cloud computing technology."

Jing was the former Lead Architect and China’s first privately owned and fully digital bank, WeBank. Together with the leadership team, the solution they designed and built quickly scaled to over 350 million users.

Drawing on his experience and WeBank’s success with open-source technology and cloud-native banking, and adopting the principles of Embedded Finance, Sirius Technologies helps its BFSI clients build a robust foundation for an open, cloud-native, and scalable digital enterprise. In turn, these client enjoy a broader service reach while reducing costs and ensuring accessible financial services for their end users.

Figure: Jing Li, CEO of Sirius Technologies

Addressing Challenges with Secure CDEs

Sirius Technologies has a complex, multi-region growth strategy, collaborating with partners who use, co-develop and resell its technology. This results in a network of distributed teams needing access to its intellectual property. The combination of Sirius Technologies' BYOD policy and numerous partners managing their own devices presents a unique challenge, necessitating a flexible and secure IT infrastructure. This environment makes Sirius Technologies an ideal candidate for a platform that delivers secure Cloud Development Environments (CDEs).

Here is how Jing explains these challenges:
“> Sirius Technologies' product setup is complex, requiring new team members, like developers and project managers, to access and be assigned permissions on multiple systems such as Jira and GitLab. Previously, the company used a VPN for access control, which was cumbersome and led to service stability issues. Additionally, protecting intellectual property was a constant challenge, as the VPN system allowed developers to download source code to personal laptops, posing a significant security risk."

In essence, Sirius Technologies faces a significant challenge in managing its intellectual property due to the presence of numerous local data replicas on personal devices, a direct result of its Bring Your Own Device (BYOD) policy. This situation makes it difficult for the company to control and enforce data access and usage effectively.

Addressing these issues is crucial for Sirius Technologies in maintaining a secure development environment. As explained, the company operates across multiple locations, and must support a distributed workforce that includes developers and partners as System Integrators (SI). This diversity adds layers of complexity, especially when external parties need varied data access levels. This is particularly pertinent if Sirius Technologies is committed to complying with security standards like ISO 27001 in particular to work with Banks.

Sidebar: Gartner’s Cloud Development Environments

Cloud Development Environments or CDEs is an emerging technology identified by Gartner in the August 2023 Agile and DevOps Report.

While initially the purpose of CDEs is mostly regarded as improving development process’ agility -most existing vendors focus on these benefits- CDEs also provide a great opportunity to embed security in the development process.

According to Gartner, by 2026, CDEs will be used to build and deploy 60% of cloud workloads.

Figure: Gartner’s CDE technology’s positioning in the Hype Curve “By 2026, CDEs will be used to build and deploy 60% of cloud workloads.”

Secure CDE Platform Set-Up at Sirius Technologies

Sirius Technologies has adopted Strong Network’s enterprise platform for secure CDEs to support the entire development workforce, including its business partners.

The figure here shows a schematic of Sirius Technologies' CDE platform setup in use today. On the developer side, devices only require a web browser in order to access the development environment (IDE and terminals) and the web applications used for standard collaboration such as GitLab and Jira. Hence developers do not need to install any specific client beside a web browser in their devices.

From a productivity standpoint, Sirius Technologies’ team uses templates provided by the platform for their environment configurations so that any developer and business partner can be onboarded in a consistent manner with very little effort. In particular, Sirius Technologies’ internal developers have access to a self-serve platform to create and manage their environments, based on predefined templates that specify parameters such as resource consumption, data and service access control and security settings.

IDEs, terminals and the access to web applications are protected with data loss prevention measures. These measures ensure that data can't be exfiltrated in a trivial matter to the local device for example through the clipboard or network operations.

After using the platform for over two years, Jing explains how using secure CDEs is benefiting Sirius Technologies’ operations.

"*The introduction of templates on Strong Network has significantly simplified Sirius Technologies' onboarding and resource allocation processes. New team members can quickly begin work with a few clicks, using pre-configured templates for immediate setup.

Developers are organized by project and assigned specific GitLab repositories, with the ability to create and dismantle development environments as needed, enhancing flexibility and reducing setup time. This standardization has notably increased productivity.

Furthermore, intellectual property protection has improved with enforced access to sensitive information through a secure browser, eliminating the need for traditional VPNs. All operations, including using the Cloud IDE, are conducted through Strong Network, boosting security and operational efficiency.*"

Figure: Graphical representation of the platform set-up as used by the team at Sirius Technologies and the business partners.

Assessing Reduction in Costs Using Secure CDEs

Let's focus on some key economic figures now. Beside productivity and security, another major benefit of using secure CDEs is the reduction in infrastructure costs. And by moving resource consumption towards an on-demand model, savings are significant.
In the case of secure CDEs, security is effective simply using a browser like Chrome or Edge. While the platform also supports accessing CDEs using a local IDE, the use of a Cloud IDE, i.e. running in a browser, brings simplicity and added security. This mechanism is effective on developers' devices without any need for installation. Hence savings with secure CDEs also come around maintenance costs.
To make the economic benefits of this case study conservative, we assess savings only around capital expenses on devices and recurring resource consumption. Here, resource consumption is the CPU and memory necessary for developers to run their compilation workloads. In addition, we need to factor service cost to run the platform on a private kubernetes service, in the case of Sirius Technologies, using Huawei’s service. Finally, we add the license cost for the platform.
Notably, this analysis doesn't factor resulting productivity gains which can be quite significant in particular around IT infrastructure management and developers’ daily operations. Because this is an important subject matter, we address it in this webinar [1] available on the Strong Network website.

Benchmark: Classic Setting

To benchmark the total cost of ownership in a classic setting for an infrastructure covering the needs of over 100 developers as it is the case for Sirius Technologies, we use the following figures:

Developers are provided with USD 3000 laptop amortized over a period of two years,
each laptop is set-up with a standard development toolset for productivity and security amounting to about USD 600/year (estimated license cost of bundling Docker Desktop™, Teleport™ Team version, Hatica™ analytics, Symantec™ Endpoint Security),
laptops incur a cost of maintenance of 65% based on the information on the reference study in [2].

Secure Cloud Development Environment Settings

In BYOD mode and using the CDE platform for development, the incurred costs stem from the CDE platform license (around USD 1200/user/year), the CDE platform’s maintenance cost, and Cloud resources consumption.

To get a conservative estimate of resource cost, we assume that developers work 8h/day, 5 day/week, 4 week/month and 12 month/year, i.e. 8x5x4x12=1920 hours in total per year. In terms of resources, at Sirius Technologies developers use virtual machines (VMs) with 8CPUs and 16GB of RAM.

For completeness, we consider the additional case of providing a thin device. Thin devices have typically limited computational power, i.e. not suitable for application building yet sufficient for common daily operations such task planning, email, spreadsheets, and collaboration. A typical thin device costs USD 1000 and can run any OS such as Windows, MacOS, Linux or ChromeOS. Devices running Chrome OS are particularly attractive because of their efficiency cost ratio and the strong security model.

Hence we report here benefits along three scenarios: corporate laptops, and the use of secure CDEs both in BYOD (as in Sirius Technologies' case) and using thin devices.

Note that, you can assess your own savings adopting CFEs using the online calculator. Note that, compared to the result with the online calculator, Sirius Technologies’ case study is tuned to their own scenario, such as the resources used by developers and specific costs on the Huawei cloud, hence the results are slightly different.

Operating Cost Savings using Secure CDEs

Upon analyzing the savings across various categories, Sirius Technologies estimates that software and maintenance costs are reduced by 49%, and the current use of (solid) 8 CPU/16 GB VMs leads to 44% in resource consumption savings.

Note that, for the sake of comparison, using instead smaller 4 CPU/8 GB VMs leads to close to 70% savings in resources, yielding a performance comparable to the one obtained with a USD 3000 laptop. Overall, total savings (with the largest VMs) amounts to 46% compared to the use of corporate laptops.

It is important to note that factoring for increased productivity in IT infrastructure management and developers’ operations will lead to greater savings.

In the hypothetical use of thin devices rather than a BYOD policy, savings are more humble yet very attractive for organizations. Based on figures retrieved in reports [2] and [3], software and maintenance costs are reduced by close to 30%, and the use of 8 CPU/16 GB VMs and 4 CPU/8 GB VMs leads to close to 11% and 35% in resource consumption savings, respectively.

In this case, Overall, total savings (with the largest VMs) amounts to over 20% compared to the use of corporate laptops.

Notably, onboarding costs are down by 90% and 95% based on the benchmark suggested in report [3]. For each scenario, namely corporate laptops, thin devices and BYOD, recommended average times for onboarding amount to 80, 8 and 4 hours, respectively. Cost is obtained by compounding times with a cost of USD 50/hour.

Figure: Cost comparative analysis between the three scenarios with a split between resources, software and maintenance, and deployment costs.

When asked about the advantages of operating with a CDE cost model, Jing emphases the benefits for going BYOD: "Indeed, when we compare the current approach to the traditional method of issuing company laptops and installing numerous security agents on them, the difference is clear. These security measures often slow down the computers significantly. By avoiding these costs and computational slowdowns, the savings we achieve are substantial."

About resource consumption and client delivery, Jing notes the following: "The current work environment for developers is active only during their active work periods, contrasting with the previous Enterprise Software Development (ESD) setup that required systems to run continuously. Developers now have access to 8 cores and 16GB of RAM, with ongoing considerations for further optimizations. This strategy focuses on adequately equipping developers with necessary resources, moving away from practices that previously caused delays and inefficiencies, such as waiting for builds to complete.”

Conclusion

This case study illustrates the transformative impact of adopting secure Cloud Development Environments (CDEs) in the contemporary business landscape. By partnering with Strong Network, Sirius Technologies has adeptly navigated the challenges of data security and IT productivity, particularly in a BYOD (Bring Your Own Device) context.

A notable aspect of Sirius Technologies' implementation is the enhanced developer experience, in particular with the ability to have a self-serve secure CDE platform for developers to generate pre-configured, security-compliant coding environments. In addition, the platform enables developers to access flexible computing resources while Sirius Technologies can control resource expenditures (by the hour, based on Huawei's billing).

Furthermore, the case study highlights the balance Sirius Technologies achieves between ensuring robust security measures and maintaining an agile, collaborative development environment. This equilibrium is crucial in a distributed team structure, allowing the company to sustain its rapid growth and global expansion.

Overall, Sirius Technology's journey exemplifies a successful integration of technology, strategic vision, and operational excellence. It serves as a compelling case for other businesses contemplating a similar digital transformation, showcasing the potential of CDEs in driving business innovation, enhancing developer productivity, and ensuring secure development practices in a highly interconnected digital world.

References

[1] Accelerating DevOps: Reviewing DevOps Productivity With Cloud Development Environments, Webinar
[2] Using Total Cost of Owner-ship to Determine Optimal PC Refresh Lifecycles, WIPRO.
[3] The Total Economic Impact Of Amazon Web Services End-User Computing, Forrester Total Economic Impact Report (TEI).

Supplement: The Business of Sirius Technologies

The Global Market of Personal Finance

The evolving landscape in the digital realm, particularly driven by the widespread adoption of mobile technology, has led to a significant diversification of people's daily digital service needs in the domain of finance. In particular, the global personal finance market size was valued at USD 0.94 billion in 2019 and is predicted to reach USD 1.8 billion by 2030 with a CAGR of 6.1% from 2020 to 2030

Figure: According to NMSC, The global personal finance market size was valued at USD 0.94 billion in 2019 and is predicted to reach USD 1.8 billion by 2030 with a CAGR of 6.1% from 2020 to 2030

The increasing importance of convenience and accessibility in digital services has made it challenging and costly for banks and financial institutions to meet diverse needs individually. Consequently, adopting a collaborative and embedded approach is becoming crucial for offering a broader range of services.

Despite some resistance from banks and financial institutions to these changes, regulatory bodies are intervening with open banking and insurance policies. These policies promote competition and data sharing, in line with global regulatory trends.

How Sirius Technologies Approaches Customers’ Platform Delivery

Enhancing personalized financial services requires tailoring products to meet partners' specific needs, moving beyond standardized offerings. Adapting business models and processes to suit diverse end-users while using the same product is essential.

This necessitates an agile and flexible service delivery approach, focusing on seamlessly embedding solutions into existing systems rather than forcing conformity to a single working method.

Sirius Technologies’ response to these challenges is 'composable innovation.' This approach involves structuring its internal product framework to ensure that all components are composable. By doing so, the company can quickly assemble specific workflows tailored to unique requirements of individual partners.

Jing exemplifies the above point as follow:
“Our platform provides foundational, Lego-like building blocks, easily combined with our composable tools to tailor solutions for specific partner needs.
In contrast to other solutions, which adapt composability later, our platform was designed from the start with composability at its core.
Our aim is to offer essential elements for digital transformation, helping partners transition into the era of Better Finance.”

Figure (top): Sirius Technologies' illustration of a composable IT framework for financial services.

The Core Principles of Better Finance

The Core Principles of Better Finance, as described are as follows:

Financial Inclusion: Enhancing access to financial services for broader demographics, particularly underserved communities
Personalization: Providing customized financial advice and products based on individual financial behavior and goals.
Digital Banking: Offering banking services through online platforms and mobile applications for convenience and accessibility.
Financial Literacy: Educating customers on managing finances, understanding financial products, and making informed decisions.
Transparency: Ensuring clear communication about fees, interest rates, and the risks associated with financial products.
Sustainable Finance: Promoting financial practices and products that are environmentally conscious and socially responsible.
Data Security: Implementing robust measures to protect the privacy and security of customer data in digital transactions.
Customer Support: Delivering efficient, reliable, and responsive customer service for inquiries and issue resolution.
Innovation: Continuously adapting to and integrating new technologies to improve financial services and customer experiences.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network

Secure Cloud Development: Ten Tenets for Enterprise Data Security

Laurent Balmelli, PhD — Thu, 25 Jan 2024 10:58:14 +0000

In the article, we discuss the critical role of data security in the cloud for enterprises. In particular, we review ten security tenets and highlight how Secure Cloud Development Environments (CDEs) are essential for protecting sensitive data, ensuring regulatory compliance, and maintaining customer trust.

Ten Key Reasons for Implementing Secure Cloud Development Environments in Enterprises

In the rapidly evolving digital landscape, data security when developing in the Cloud has emerged as a cornerstone for enterprises across the globe. Here, we delve into the top ten reasons why enabling data security when working with Cloud-based environments such as online containers is paramount for the enterprise market.

As organizations navigate through vast amounts of sensitive data, safeguarding this digital asset becomes not just a necessity but a strategic imperative. For that purpose the use of Cloud Development Environments with embedded security, i.e. Secure Cloud Development Environments, is a critical component to achieve secure software development, i.e. security around all the development assets used across the DevOps process.

The use of secure Cloud Development Environments (CDEs) is also an ideal way to implement and automate Enterprise DevSecOps strategies and put in place secure software development best-practices due to the control that organizations achieve on their development workflow thanks to secure CDEs.

Learn how Strong Network’s platform to manage Secure Cloud Development Environments is achieving the 10 enterprise security goals below by booking a demo with us.

Strong Network provides the first platform to manage secure Cloud Development Environments in the Enterprise market. By using it, organizations achieve unmatched asset security, in particular source code protection, application and service credentials protection, and general protection against data exfiltration with the most advanced Data Loss Prevention mechanism for Cloud Development Environments.

Figure - Strong Network provides the first platform to manage secure Cloud Development Environments - The goal is to protect the entire developer workflow against data leaks.

1. Protection of Sensitive Information
Enterprises often handle an array of sensitive data, including customer details, financial records, and trade secrets. This data, if compromised, can have catastrophic implications. Implementing robust data security measures is paramount to prevent unauthorized access and ensure the confidentiality and integrity of this sensitive information.

2. Regulatory Compliance
With data breaches on the rise, regulatory bodies worldwide have tightened their data protection laws. Regulations like GDPR, HIPAA, and PCI-DSS mandate stringent data security protocols. Non-compliance not only leads to hefty fines but can also invite legal complications, making compliance a critical aspect of enterprise data security.

3. Maintaining Customer Trust and Brand Reputation
In the digital age, customer trust is a valuable currency. Data breaches can severely tarnish an enterprise's reputation, leading to loss of customer trust and loyalty. Prioritizing data security helps maintain a positive brand image and assures customers that their data is in safe hands.

4. Preventing Financial Losses
The financial repercussions of a data breach are significant, encompassing breach mitigation costs, legal fees, and potential compensatory payments. Moreover, a breach can result in business losses and a decline in shareholder value. Investing in data security is, therefore, a prudent financial decision for enterprises.

5. Mitigating Cyber Threats
The cyber threat landscape is ever-evolving, with sophisticated threats like ransomware and phishing attacks posing constant challenges. Robust data security protocols act as a bulwark against these threats, protecting enterprise data from malicious actors.

6. Enabling Digital Transformation
Digital transformation has become a strategic initiative for many enterprises. This transformation, however, expands the attack surface. Data security ensures that embracing cloud services, big data, and IoT technologies does not compromise data integrity and confidentiality.

7. Supporting Remote Work and Mobility
The shift towards remote work and a mobile workforce necessitates secure access to data from various locations and devices. Data security measures ensure that this flexibility does not become a liability, safeguarding data regardless of where or how it is accessed.

8. Intellectual Property Protection
For many enterprises, intellectual property (IP) is a critical asset. Protecting this IP from theft or espionage is crucial to maintaining a competitive edge and fostering innovation. Effective data security measures are essential to safeguard these invaluable assets.

9. Global Business Operations
With enterprises operating in multiple jurisdictions, each with its unique data protection laws, comprehensive data security becomes imperative. It not only ensures compliance across borders but also instills confidence in international clients and partners.

10. Business Continuity and Resilience
In the event of a cyberattack or data breach, the ability to continue operations is crucial. Data security is a key component of business continuity planning, ensuring minimal disruption and quick recovery from any security incidents.

In conclusion, data security in the enterprise market is not merely about compliance or risk mitigation; it's a strategic business decision that underpins all aspects of modern enterprise operations. From protecting sensitive information and maintaining customer trust to enabling digital transformation and safeguarding intellectual property, the role of data security is all-encompassing. As enterprises continue to navigate the complex digital ecosystem, prioritizing data security will be pivotal to their success and sustainability. It's an investment that not only safeguards against immediate threats but also lays the foundation for a secure, resilient, and prosperous future in the digital world.

All material in this text can be shared and cited with appropriate credits. For more information about our platform, please contact us at hello@strong.network