DEV Community

Cover image for Rediscovering DevOps’ Heartbeat With Secure Cloud Development Environments
Laurent Balmelli, PhD
Laurent Balmelli, PhD

Posted on

Rediscovering DevOps’ Heartbeat With Secure Cloud Development Environments

How Cloud Development Platforms “Elevate” DevOps

Let me start by briefly explaining what a Cloud Development Environment is: typically running a Linux OS with applications, it offers a pre-configured environment that allows for coding, compilation, and other operations similar to a local environment. From an implementation standpoint, such an environment is akin to a remotely running process, often virtualized through technologies like Docker or Podman. For a general overview of CDEs, check this article.

CDE technology is driving the fastest DevOps transformation trend today with the entire cloud-native development industry moving development environments online. These environments just became one of Gartner's new technology categories in August 2023. Notably, Gartner expects 60%+ of cloud workloads to be built and deployed using CDEs by 2026.

Image description
Figure: Online containers can be leveraged at the heart of the DevOps' Three Ways

Today, organizations can decide to manage them with a self-hosted platform or use one of the services attached to a Cloud provider when available. Yet overall, platforms to manage these environments are today in their infancy and their features widely differ across vendors. Hence, there is a great deal of flexibility on how to implement the technology and, most importantly, what the business use cases cover.

In my opinion, when faced with choosing a platform for CDEs, businesses should opt for one that delivers both productivity and data security. Using a secure Cloud Development Environment, i.e. one that provides data security allows organizations to deploy mechanisms that are quite diverse, for example: protect against data exfiltration and infiltration, automate DevSecOps best practices, generate security reviews, etc. This type of security is typically the aim of a Virtual Desktop Infrastructure by Citrix or more recently, the goal of using an Enterprise Browser (Island, Talon, or Chrome Enterprise.)

A reason for that is that many companies, including technology companies, have suffered attacks on their assets such as source code, customer data, and other intellectual property. Recent high-profile cases around source code leaks include Slack's GitHub repositories, CircleCI, and Okta in December 2022. Most importantly I find it important that security should be positioned as a productivity booster, such that it contributes to an improved developer experience, as opposed to an impediment.

One of the common denominators between existing platforms is the aim to make code development more efficient. Whether or not you choose to consider security in the mix, it is clear that CDEs can potentially unleash a great amount of productivity that benefits a DevOps workflow. This is the reason why I take here a fresh look at DevOps’ core principles and rethink how these environments can shed new light on them. These principles are also referred to as the three ways and are explained in The DevOps Handbook by Kim, Debois, and Willis.

Online Environments Accelerate DevOps' Principle of Flow

From a process perspective, DevOps is about implementing the three principles (or ways): namely the principles of flow, feedback, and continuous learning. I think that explaining the benefits of CDEs in this context is a good way to understand some of their key impacts in my opinion.

Image description
Figure: _DevOps’s three ways, i.e. Flow, Feedback and Continuous Learning as pictured in The DevOps Handbook by Kim, Debois, and Willis
_

Let’s start with the_ principle of flow_. The first principle emphasizes the smooth and efficient movement of work from development through testing, and deployment down to operations and monitoring. It aims to minimize bottlenecks, optimize processes, and enable a continuous and seamless delivery pipeline. The flow is often represented by the series of stages arranged along the infinity sign.

CDEs are an efficient way to implement the principle of flow because they allow users to have fully isolated workspace settings when dealing with multiple projects, enabling straightforward and impactless context switching between them.

A good CDE platform provides developers with multiple tools to manage and configure their CDEs, in particular, based on company policies. For example, self-service access to CDEs for developers is an important benefit.

CDEs are also easily replicated for testing and can be reassigned across users as necessary. They can be fully templated, provisioned within seconds on pliant resources, and accessed by any developer regardless of their location. Here, a good CDE platform offers comprehensive operations to project and IT managers that enable CDE management and observability at scale.

Image description
Figure: The use of CDEs starts at the DevOps’ Code stage and enables organizations to maintain consistent environments across stages. A CDE and its access mechanisms are represented by a tile and a series of icons, respectively.

Clearly, the online deployment of CDEs allows centralized management, observability, and access in such a way that it really enhances DevOps' principle of flow.

Today the inclusion of remote developers is part of most organizations' operations. The online nature of CDEs is great for onboarding developers in fully configured environments, regardless of their location. Providing access to the organizations’ resources is also an important aspect of onboarding. Here, CDEs provide a new opportunity to access development resources in a centralized manner, in particular one that offers enhanced control and observability.

To couple productivity with flexibility, a good CDE platform must provide an access permission model to resources that allow handling different types of developers, different scenarios of development (internal, collaborative, etc), and different types of resources. For example, a role-based and attribute-based access control (RBAC/ABAC) coupled with a mechanism to classify resources enables organizations to set up risk controls and ensure governance even in complex workflow situations. This greatly enhances the possibility of designing efficient and collaborative development flows.

Image description
Figure: Onboarding a diverse set of developers requires a mechanism to manage access permission to resources based on role. Permissions can also be assessed dynamically based on properties such as the user location, etc.

Finally, one of the great aspects of the joint use of CDEs and Web-based IDEs is that onboarding developers on thin devices or in BYOD mode become an immediate accelerator for business expansion.

How To Bring Immediacy to DevOps’ Principle of Feedback

The principle of feedback involves establishing mechanisms for communication and collaboration between different stages of the development and operations processes. This includes collecting feedback from various sources, such as end-users, monitoring systems, and testing processes. An important aspect of this principle is that it enables better collaboration between developers.

The second principle of DevOps is best exemplified by the Pull Request (PR) mechanism implemented in code repository applications. Using a PR, developers can provide comments on the work submitted from a branch before it is merged into the application.

The online nature of CDEs brings the principle of feedback even closer to the developer, i.e. before work reaches the code repository, i.e. right at the center of the coding activity. This benefit is realized by the CDEs often in conjunction with the mechanisms to access or monitor it, such as the IDE, terminal, network, orchestration, etc.

Because CDEs are online running processes, it is easy to observe the work as it's being done. This is reminiscent of observing the user experience of website visitors. In my opinion, this is the area where there is the most opportunity for bringing productivity and security at the core of the development.

Image description
*Figure: * Because CDEs can be accessed remotely, it is easy to measure some of their properties such as running processes and allocated resources.

For example, it is easy to measure in real-time, over a fleet of CDEs, e.g. shared by developers working on a common project, the average compilation time necessary to build the application (see the above figure). This brings immediate and valuable information to the project manager about productivity.

It is also easy to look at the information passing through the developers' clipboard and the CDE's network traffic. Using these channels we can provide feedback to developers and managers. For example, from an infrastructure security perspective, it is easy to monitor for potential data exfiltration and prevent loss of intellectual property.

But through the same channel, one can also look for potential infiltration of pernicious data. For example, imagine that you can detect a credential inside a developer's clipboard, what about inquiring about the intention of the developer performing this operation? The same is possible when a developer is about to paste source code collected from a random website inside your code base. Would you like to flag it and automate the creation of a security review? What about detecting malware before it reaches your code base or systematically flagging AI-generated code?

Image description
Figure: The control on CDEs and their supporting infrastructure is an opportunity to semantically analyze input data such as credentials, licensed source code, and potential malware. Similarly, it allows setting data leak prevention measures.

Clearly, CDEs and the infrastructure components that are used to funnel data into them are a medium to bring a new crop of best practices in DevOps and DevSecOps and revisit DevOps’ principle of feedback. Through the examples that I gave above, you can see that infrastructure security can liaise with the principle of code security!

A good CDE platform will definitely provide an artillery of new and creative DevOps and DevSecOps automation. In addition, there is a great opportunity to revisit standardized and accepted metrics such as DORA and SPACE to bring them closer to the activity that developers spend the most time on writing code in the IDE.

Close-Up on the Principle of Continuous Learning

Now let’s finish this discussion with the third principle, the principle of continuous learning. This principle underscores the importance of fostering a culture of ongoing improvement and learning within the development and operations teams. It involves regularly gathering feedback, analyzing performance metrics, and incorporating lessons learned from each stage of the development and deployment process to enhance efficiency and innovation.

The immediacy of web platforms and the opportunity that they bring around the observability of their running business processes also enables organizations to learn about themselves. This is a boon to increase the potential of continuous learning.

Initially, DevOps' expectations of continuous learning are around bettering applications in operation, i.e. in use by the customer. But when the entire development process is run as a cloud application, there are many valuable things that organizations can learn about their own platform-based development process.

Along that vein, CDE platforms bring a new level of observability and allow business optimization around several critical areas. I have discussed how organizations can learn about their performance around application delivery and its security posture. But they can also learn about cloud and physical assets' utilization, as well as monitor the cost of IT functions and resources allotted to development. The platform also brings a fantastic opportunity to centralize the implementation of productivity and risk controls while systematically enforcing them across geographically scattered teams. In practice, modern CDE platforms need to allow the simultaneous use of multiple Clouds across multiple regions. Most importantly, their capability to _uniformly deliver complex services _to organizations makes it easy to implement governance mechanisms that do not get in the way of users’ daily tasks.

Image description
Figure: DevOps’s principle of continuous learning can also apply to the development process itself. CDEs yield a new swath of process measurements that benefit governance, accountability, and risk controls.

In conclusion, good CDE platforms should bring a wealth of metrics and functionalities to organizations such that they retake control of a development process that is often scattered, non-uniform across hardware and applications, and at times obscured from a security perspective. This is why, in my opinion, the adoption trend will follow unabated. In addition, we should see a greater demand for the ability of CDE providers to enhance security controls while making sure they ultimately don't have any negative impact on developer productivity. Finally, developing CDE properties as a way to enhance the three ways of DevOps is a great framework to drive innovation in a meaningful way for the development community.

Published at Dev.to with permission of Laurent Balmelli, PhD. See the original article here.

Top comments (0)