Virtualization Technology News and Information
VMblog Expert Interview: DuploCloud Explores Security and Compliance, DevOps and Infrastructure-as-Code


Security and compliance are not one and the same. While both concepts help companies manage risk, one is a guideline and the other is its implementation.  
According to Venkat Thiruvengadam, founder and CEO of DuploCloud, an industry pioneer in no-code/low-code cloud automation and security, compliance will always be a few steps behind current threats. 

VMblog:  What is DuploCloud? How long has the company been in business and who is your target market?

Venkat Thiruvengadam:  DuploCloud is an end-to-end low-code/no-code DevOps automation and compliance platform, designed to make DevOps and Infrastructure-as-Code accessible for everyone. I was one of the original engineers at Microsoft Azure and AWS, where I saw Azure grow from a hundred-odd servers to millions of nodes in just a few years. After leaving Microsoft I realized that such hyperscale automation techniques had not made their way outside of companies like AWS, Microsoft, and Google. This led me to found DuploCloud in 2018 with a goal to bring the hyperscale automation techniques to mainstream IT.

DuploCloud is a software platform that helps companies ranging from startups to publicly listed enterprises that are building enterprise-grade applications or migrating to the cloud, save time and money. The DuploCloud platform translates high-level application specifications into detailed and fully managed cloud configurations using best practices around security, availability, and compliance guidelines. 

VMblog:  How are security and compliance factoring into DevOps teams? Are they responsible for building this into their apps?

Thiruvengadam:  While there are several best practices around how to configure a certain infrastructure, there are now industry specific standards that govern how these configurations are to be made. A few examples are PCI in Finance, HIPAA for Health and NIST for the public sector. This has put pressure on Devops as now in addition to operations and programming they also need to have a deep understanding of various compliance controls. As if operations and programming were not sufficient in one human being, we now are asking for them to be experts in infosec as well. End of the day Devops is responsible for the security of the infrastructure and has to do their bit to get the compliance certificate that the organization needs to do business.

VMblog:  How are security and compliance related, and where do they differ?

Thiruvengadam:  Security and compliance are not one and the same. While both concepts help companies manage risk, compliance is a guideline and security is the implementation of that guideline. Compliance is about a written standard which defines controls, but security can be abstract. One person's view of security best practices may differ from another. That is where compliance standards come in and force a certain implementation. Though some compliance standards like NIST, PCI and HiTrust are more prescriptive compared to say SOC 2 which is non-prescriptive. Compliance is a bit higher level, security control is specific. For example, a compliance standard could say, "make sure your network infrastructure between production and non-production is segregated and separate," but security implementation determines how it is segregated - through security groups, infrastructure-based, etc.

Now the  main similarity is that both security and compliance are meant to manage risk. Compliance is a way of measuring security as well. The key difference is that security is an ongoing phenomenon, whereas compliance is simply a once-per-year certification process. For this reason, compliance will always be a few steps behind current threats. Of course, teams need to maintain compliance, which means making sure security controls are in place.

VMblog:  Why is compliance important to startups and SMBs? 

Thiruvengadam:  Security and compliance are necessary for every industry. In fact, 80% of data breaches are caused by human error. Although this is mostly true in larger companies compared to smaller ones, SMBs still critically need business process security policies - especially since startups who are selling to larger companies need to be compliant to even be considered. Lack of compliance can cause a company to come to a screeching halt when trying to go to market quickly. Organizations must put processes in place to determine how to identify and respond to threats as well as how to safely handle and dispose of data.

VMblog:  What are the current trends you're seeing around compliance standards/threats?

Thiruvengadam:  Meeting a compliance standard usually has three parts: process, documentation and control implementation. We are seeing that the process and documentation part is becoming easier with the advent of the category of automation solutions like Vanta, Drata, TugBoat, etc. Control implementation is now becoming harder because the standards are now becoming more prescriptive and hence adherence requires more work. Further there is more visibility to compliance gaps which puts pressure on the implementation team.

VMblog:  How has the DevOps skills shortage affected the need for no-code / low-code security & compliance solutions?

Thiruvengadam:  DevOps is a skill set that requires a single individual to be proficient in operations and security, as well as programming i.e. Infrastructure-as-Code.  These have traditionally been three independent job profiles. Developers are not operators. Operator's programming skill is limited to basic scripting and most operators don't have a good grasp of compliance standards. DevOps automation is still largely DIY. With a low-code/no-code solution we can substantially reduce the required subject matter expertise. Younger and less expensive engineers can be trained to deliver an outcome that is far superior than a DIY system operated by expensive SMEs. An end user can choose to write no-code exclusively through the UI. Or one could use the low-code scripts that allows them to write 90% less code and not require any subject matter expertise in security or compliance as that is all baked into the system.

VMblog:  Can you speak to Infrastructure-as-Code and where it's headed?

Thiruvengadam:  Infrastructure-as-Code (IaC) has gained wider adoption among DevOps teams (as it should have given it was a vast improvement to what was available at the time). IaC is still a programming tool that does not write itself. It is up to the DevOps engineer to interpret the application needs and compliance controls and then translate them into IaC code. DevOps is largely DIY and takes months to years. Also IaC is great for creating one time topologies, but making changes is very hard. With the rapid pace at which developers are fragmenting the application topology with microservices and the cloud providers adding new services daily, IaC in its current form won't scale. Already hiring a good DevOps engineer who is proficient in IaC is very hard. IaC will need to evolve. It cannot be purely a client side scripting tool. There cannot be so much DIY and ongoing operations need to be easier.

I think we are headed into a new category of solutions that I would call DevOps-as-a-Service. Here one should be able to provide a higher level specification and reference to a compliance standard and the system should be able to figure out the lower level details, build and operate the Infrastructure. IaC would still remain as a user interface but we see users required to write a lot less code and need a lot less expertise.

VMblog:  In a nutshell, what would be your recommendation to companies who are wanting to improve their security and compliance? 

Thiruvengadam:  Take an overarching approach to security and compliance. Understand the risks to your organization's data, and know your legal and regulatory obligations. Make security part of early provisioning workflows rather than a post-provisioning afterthought. Keep tabs on what is already available in the industry before attempting to build something in house.


Published Wednesday, August 10, 2022 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2022>