On October 8, Squad organized a round table discussion on the topic of Cloud and DevOps. The agenda included discussions on trends, security, data, and more. We were able to compare three different points of view: those of Abdelfettah SGHIOUAR (Google Cloud Engineer), Christophe Chaudier (Freelancer and Radio DevOps Podcaster), and Jordan Assouline (Technical Evangelist Squad).
[#1] The cloud revolution is here, what's next?
The revolution is here, but it will take a long time for everyone to adopt the best practices defined by cloud service providers. In 10 or 20 years, everyone will be using CI/CD, DevOps, DevSecOps, and SRE.
"Many use the cloud, but not only that, they also use hybrid solutions. They manage infrastructures, but move certain services to the cloud, so they don't migrate everything."
Abdelfettah SGHIOUAR.
Some companies are constantly evolving. The transition to the cloud is not as straightforward as it seems, because some companies have invested in data center equipment and need to recoup that investment. Others are adapting their on-premises infrastructure to the cloud. In fact, CI/CD and DevOps can be done with a physical or virtual server.
"I still encounter companies that are not involved in virtualization at all. They are moving from bare metal to the cloud directly, without going through virtualization, or from bare metal to containers."
Abdelfettah SGHIOUAR
In short, the cloud has revolutionized the way things are done, but not necessarily in terms of its adoption by everyone. " The transition to the cloud is slow, because it also requires a change in the culture and mindset of employees," Abdel points out.
"I also notice that our clients are applying cloud-based methods to on-premise systems. The transition is happening; it's possible depending on the maturity of the technologies, but also on the methodology." Jordan Assouline
Christophe, for his part, notes that a large proportion of companies have not yet made the shift to DevOps and the cloud. There are two types of companies: those that still have a data center (these are the ones wondering why they should move to the cloud, and why it matters); and pure players. Emerging companies (or startups) are moving directly to the cloud.
"The question we need to ask ourselves is: What is my business? Should we operate our infrastructure and our business side by side? Or is our business to do our job?"
Christophe Chaudier
Some older companies have not yet asked themselves the question, "What is my business?", even though they are still operating within their existing infrastructure.
Do you think it is possible to go back?
Christophe highlights the environmental aspect: Today, the centralization of data centers allows us to consume less hardware.
"If every company built its own data center, it would take up more space, and space is expensive. I believe more in the emergence of small cloud operators than in the re-internalization of a company's infrastructure."
Christophe Chaudier
International news has a significant impact on technology, particularly politics. If a country decides to close its borders, all technology will have to be repatriated.
"In Morocco, for example, there are restrictions on data hosting. Companies are not allowed to host data outside the country. Small Moroccan hosting companies are emerging."
Abdelfettah SGHIOUAR
Then there are companies that switch between Cloud and Prem'Cloud. Companies mainly move to the Cloud because it brings them added value; there is much more than just VM and data storage...
On the technical side, many companies use containerization with Docker (leading the way), but with the advent of microservices and orchestrators such as Kubernetes, what new technologies will change the cloud?
Today, the big emergence is "ServerLess."
"As a developer, I only work on my container and execute a command, without worrying about the server or storage. Knative is an abstraction layer on top of Kubernetes that allows you to deploy a container, and the Knative framework takes care of scaling up and down. " Abdelfettah SGHIOUAR
The trend is moving from compute (i.e., containers) to serverless for other offerings, including message queues, CDN (content delivery network), and all application dependencies.
Previously, the trend was more toward client-server, but today we are moving more toward a SaaS model.
"The trend is ultimately towards being able to connect via a tool. We are increasingly moving towards an 'online' model, with cloud computing. A return to the mouse and keyboard connected to a server and available at all times. Edge computing is set to be one of the major revolutions in the coming years."
Christophe Chaudier
Abdel has also noticed the emergence of edge computing. "I've had experiences with edge computing in places where there isn't necessarily an internet connection."
"They installed their own Kubernetes cluster in the stores: it allows them to manage everything themselves, employee badges, CCTV cameras, etc. The idea is to bring processing back to where it's needed." Abdelfettah SGHIOUAR
More than just IoT, the company uses Intel Nuc X86 processors in three machines, which bootstrap automatically. This brand was a pioneer, as it was among the first to do so. With the cloud, it is therefore possible to perform updates, monitor remotely, and apply patches. Today, several companies offer this service.
What about security?
Companies such as Orange can afford to have their own data centers.
"In my opinion, I think we are moving towards more services. In the cloud and IT, there are two things: software and hardware. Just because software management is outsourced to a service provider or because the software security of our services or IT tools is handled internally, that doesn't necessarily mean that the hardware will be secure. I think we're going to see the relocation of certain things, but they will still be connected." Christophe Chaudier
"[...] There will be parts of data centers that will be connected to a larger cloud, and the cloud operator will operate all these different elements that will be remote."
Christophe Chaudier
In the second part of the webinar, we discussed data protection. Is there a consensus that everyone agrees on? Are we protected?
[#2] Are we in control of our data?
The Cloud Act corresponds to the digital territory of the United States, and only a decision by the US courts will allow access to data. This is theoretically feasible. "For me, the problem is that we accept that this is possible. We are giving up our sovereignty," says Christophe Chaudier. For the moment, there is no political discussion on this subject and the Cloud Act prevails.
"Even if we host our data with an operator using our own keys, at some point when we decrypt this data, the operator has access to these keys. For a few seconds, this data is available in the server's memory. This raises another issue: shouldn't we also encrypt the operator's memory?"
Abdelfettah SGHIOUAR
Just a few years ago, encryption was prohibited in France. Here again, a question must be asked: who has the authority to decrypt data?In the case below, the FBI asked Apple to unlock an iPhone as part of an investigation, and Apple refused.Ultimately, the FBI managed to decrypt the device without the company's help.
Beyond the legality of encryption, protecting data is everyone's business. Employees at a South African bank took the master key from a bank, causing millions of dollars in losses.
"The HMK is the key that protects all the keys, which, in a mainframe architecture, could access the ATM pins, home banking access codes, customer data, credit cards, etc.," the researcher told ZDNet.
You should never remove the root account key. It's obvious, yet many companies pay the price for this kind of trivial mistake. Is training or awareness better today? Should companies be required to raise awareness about cybersecurity?
"You need to learn about the legal aspects, not just the technical ones."
Christophe Chaudier
Some companies remain convinced that they are up to standard. For Abdel, a strategy is needed to help employees avoid basic mistakes. "The questions I ask my clients every day are: 'Is your developer's PC encrypted? Does it have a device to lock the computer after five minutes?'"
"DevSecOps is DevOps done right. It's not something separate. The security that works best is security that supports, not security that punishes."
Jordan Assouline
Security should not be counterproductive. "It's better to adopt best practices than to try to secure everything," adds Christophe.
Conclusion
The major trend in the cloud revolution is hybridization. Overall, companies like to have control over their infrastructure. Serverless is one of the emerging technologies, along with KNative and Edge Computing (and not just for gaming). On this point, the big issue is dependence on technology: even though we are on-premise, we have no guarantee that Intel or HP won't increase their prices.
In terms of governance, despite encryption and awareness-raising, this remains insufficient to protect our data. The question we must ask ourselves is: what will happen if governments want access to the data? Should we put an end to encryption?
