In the early years of IT, security was often an afterthought. Take email, for instance; since its inception, it has had layers of security patched on like an old but much-loved pair of jeans. Its creators could have barely imagined how integral email would become to our lives or how malicious attackers, spoofing your email address, would try to defraud you!

Over the years, attackers have become more and more sophisticated, culminating in the Solar Winds attack at the end of last year and, more recently, the global Microsoft Exchange Server hack which put over a hundred thousand businesses at risk.

There is no doubt that cloud technologies are hugely powerful, but their distributed nature makes them complex and difficult to secure. As a result, automation becomes the only serious way to manage cloud. Today this is achieved with Infrastructure-as-Code (IaC), but this introduces yet another vector for security threats — misconfiguration.

According to IDC research commissioned by Ermetic, 8 in 10 companies across the United States have experienced a data breach related to misconfiguration of their cloud systems. Of the 300 CISOs that participated in the survey, security misconfiguration was the top concern associated with cloud production environments.

Moving away from a traditional, centralised datacentre model to a highly scalable, global and distributed cloud approach requires us to re-draw the security battle lines and build defence-in-depth.

Defence-in-Depth Starts by Shifting-Left

Historically, dedicated security teams would review infrastructure designs to ensure they met the security compliance standards of the organisation and provide recommendations and amendments to the architecture and development team.

This process is often time-consuming and doesn’t move at the speed of the cloud, slowing teams down and increasing the cost of the project. The other problem is that cloud systems have become increasingly complex.

With multiple teams working on different parts of a globally distributed infrastructure and the introduction of ephemeral systems, traditional security tools and processes are no longer fit for purpose.

To solve these problems, the security industry has begun advocating for a shift-left approach. The process of moving security and compliance checks to the very beginning of the cloud design and deployment workflow, baking in security from the very start.

Patching IaC — Code Scanners

IaC promised to be a panacea for the complexity of cloud management by applying all the advantages of software engineering — versioning, code reuse, collaboration and automation. The reality is that it has only raised the technical barrier to entry.

Engineers now need coding skills to manage and deploy complex cloud infrastructures. This step-up in technical expertise also increased the likelihood of security misconfiguration being baked into code templates.

To solve the security problem, IaC scanners emerged. These scanners can be used at the command line or integrated into CI/CD processes to ensure that code templates are scanned for issues before they are deployed, shifting security left of the workflow and helping keep your infrastructure safe.

Whilst code scanners can flag security issues with IaC, engineers still need the technical expertise to write IaC in the first place, making the adoption of shift-left security much more difficult.

Draw Don’t Code — Cloud Maker Overwatch

Enter Diagram Driven Infrastructure, or DDI. Now there is a new, much easier way to automate the design, security validation and deployment of cloud systems without wrestling with IaC.

Instead of working directly with code templates, which are hard to write and become challenging to maintain, DDI allows the cloud infrastructure to be modelled visually. This gives engineers a detailed view of all pieces of a cloud environment in a single pane of glass. DDI makes shifting the security of your infrastructure left as easy as drawing a diagram.

Cloud Maker, with its visual Overwatch security scanner, means cloud diagrams can be scanned in real-time as you draw, visualising security issues across the whole system and then providing guidance on the best way to fix them.

Overwatch takes the latest security guidance from the likes of Microsoft and CISA and turns these into security definitions, which are applied to your Cloud Maker diagram as you draw and configure.

Cloud Maker and Overwatch are part of a new generation of automation technologies that takes all the lessons learnt from IaC and shift-left security and bakes them into a next-generation interface to the cloud.

Azure Sentinel — Protecting Your Right Flank

While Cloud Maker Overwatch makes taking a shift-left approach easy, it’s still critical to maintain real-time security scanning of live environments to monitor for rapidly emerging threats.

This is where Security Information and Event Management (SIEM) comes in. Historically SIEM involved dumping security logs into a data warehouse and querying this data to look for attack-related events.

However, with the sheer volume of data created by modern, highly complex cloud systems, the only feasible way to monitor, detect and intervene today is with machine learning.

One such machine learning-based SIEM platform is Azure Sentinel that provides real-time scanning and automated mitigation of security issues. Underpinned by the vast horsepower of Microsoft Azure and Microsoft’s leading AI expertise, Sentinel can process almost limitless volumes of security data in real-time.

Cloud Maker combined with Azure Sentinel is a powerful capability that not only lets you shift left but ensures you continue to protect your right flank.

The Path to DevSecOps

DDI unlocks the ability to manage complex cloud systems. It also enables the ability to shift security left easily. In today’s world, cloud systems can be drawn as a diagram and configured visually. Automated security checks like those provided by Cloud Maker Overwatch can then ensure that security issues are detected and resolved before they have a chance of being deployed.

When shift-left security is combined with real-time scanners like Azure Sentinel, you have multi-layered threat detection over the entire life cycle of the system, leading to threats being mitigated as early as possible and vastly reducing the chances of a breach occurring. This process of continuous development, security monitoring and operations has become known as DevSecOps and is the next frontier of cloud automation and security.

If you’re building systems in the cloud today, your best option is to prepare for battle, build defence-in-depth and shift-left.

To find out how Cloud Maker Overwatch can help keep you secure, shift-left and adopt DevSecOps, head over to https://cloudmaker.ai and sign up for a free trial today.

Is Your Cloud Secure? was originally published in Cloud Maker on Medium, where people are continuing the conversation by highlighting and responding to this story.

I previously imagined a world where designing, deploying and managing cloud technologies was as simple as drawing a diagram. A world where Diagram-Driven-Infrastructure (DDI) would enable IT Pros, as well as software engineers, to adopt the power of cloud technologies quickly and easily.

Since launching Cloud Maker, from private beta to general availability, we have had thousands of pieces of amazing feedback from our users. Two things really stood out when we asked our users what they needed when designing cloud systems: the ability to work collaboratively with co-workers and ensuring those cloud systems that were being designed were secure.

I’m incredibly excited to announce the next step in helping our users achieve these goals. Today, we’re releasing our new pricing plans, which now come with bundled user accounts, to give even more members of your team access to Cloud Maker. We are also celebrating the launch of our brand new security scanning capability: Cloud Maker Overwatch. Now you can shift security left, and ensure that vulnerabilities are closed down at design time!

Why Diagram Driven Infrastructure is the future

Until now, to deploy cloud infrastructure reliably, repeatably, and at scale, engineers would have to adopt Infrastructure-as-Code and CI/CD orchestration tools.

This is exemplified by Microsoft’s crawl, walk, run methodology, which advocates for engineers to start in the Azure portal and work up to Infrastructure-as-Code and CI/CD as their experience grows.

However, there are significant hurdles to the adoption of Infrastructure-as-Code and CI/CD tools. Not only are they complex technologies that require engineers to have the skill and knowledge of a software engineer, but code templates are hard to manage. What’s more, it’s easy to introduce security vulnerabilities through poor configuration — security tokens left in templates anyone?

DDI can solve all these problems, as well as, lower the bar to entry for IT Pros, and speed up engineers with existing cloud automation skills.

Instead of learning a complex new code language and managing CI/CD systems, DDI enables IT Pros and engineers to work in a language they already know: diagrams!

Now cloud architectures can be mapped out visually, with dependencies clearly visible. Configuration can be applied in an easy to use graphical user interface, with always-on validation providing checks on configuration best practice and security.

Once the diagram and configuration have been completed, the machine can do all the heavy lifting of converting to Infrastructure-as-Code and deploying in a CI/CD methodology at the click of a button. No new coding skills required, no complex systems to manage!

Securing your cloud future

In light of the recent SolarWinds hack, IT security has been brought sharply back into focus. While security has always been a key ingredient, historically it’s been common practice to scan IT environments for poor configuration and security vulnerabilities after they’ve been deployed.

However, this is a bit like closing the stable door after the horse has bolted. Attackers are becoming ever-more sophisticated, using automation to quickly identify vulnerable systems as soon as they are plugged into the Internet. This means security scanning post-deployment alone is no longer a valid option.

That’s why the security industry is advocating for a shift-left approach. Moving scanning and vulnerability detection left of the cloud workflow to the design stage. This allows for security vulnerabilities and poor configuration to be identified before deployment!

DDI platforms like Cloud Maker are perfectly placed to enable a shift-left, design-time approach to security. That's why I’m incredibly excited to be able to announce Cloud Maker Overwatch. This new capability will scan your Cloud Maker blueprint and identify security issues within your design and configuration prior to any deployment to the cloud.

We’re just getting started!

If you would like to benefit from the power of DDI, don't hesitate to sign up at cloudmaker.ai. We’re just at the start of delivering our vision to unlock the cloud for everyone. Security is the next step, and we have more exciting features coming soon that will continue to supercharge your cloud workflow!

Diagram Driven Infrastructure was originally published in Cloud Maker on Medium, where people are continuing the conversation by highlighting and responding to this story.

One of our core missions at Cloud Maker is to simplify cloud design and deployment. But if users can’t even find the cloud components they need, then the design process is slowed significantly.

We’re solving this problem a number of ways, firstly through our ML powered suggestion engine. Our system analyses how each engineer likes to design their cloud solution and then, at each step of the design process, surfaces up the cloud component it thinks they will need next. But sometimes, this isn’t enough, and at this point a powerful search capability is required to enable rapid retrieval of the required component for the user.

On the surface, search may seem like a simple problem to solve. But once you start to consider the hundreds of cloud components required – with each being known by either their formal or colloquial name – whilst also factoring in spelling mistakes and partial searches, it’s clear that the problem becomes much more challenging.

First Take

To solve this problem, we turned to Azure Search — a fully managed, global scale, search service. Getting up and running was pretty straight forward, all we needed to do to start was provision an Azure Search service, then create an index and upload our data.

This is what our initial index definition looked like:

{
  "name": "droplets",
  "fields": [
    {
      "name": "id",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": false,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": true
    },
    {
      "name": "fullName",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": true,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": false
   }
  ],
  "corsOptions": {
    "allowedOrigins": ["https://app.cloudmaker.ai"]
  }
}

We then hooked up the search service to Cloud Maker, and used full text search with fuzzy search to allow for spelling mistakes. To do this, Cloud Maker makes requests to the Azure Search service instance enabling the “full” query type, and also appending the tilde (~) symbol on each search term enabling fuzzy search.

For example the following web request would successfully give us the result the user was looking for — in this case, a virtual machine component.

POST https://{{serviceInstance}}.search.windows.net/indexes/droplets/docs/search?api-version=2015-02-28&queryType=full
{
  "search": "virtul~ machnie~"
}

This works great, but it relies on people typing whole words for the components they are searching for. We need to make it easier for our users, and let them find things by typing only a few characters. For example if someone writes “virt” we wanted to start giving them accurate results back.

Adding Partial Word Matching

Achieving this requires a deeper understanding of how a search engine works and then configure the engine to do more heavy lifting to return the correct results to the user.

Firstly, when the search index is being built, the engine analyses the data, breaking down text into elements. For example, with the default analyser, if the name is “Virtual Machine” it will be broken down to “virtual” and “machine”. A similar process happens at query time.

Note that this only splits up full words. We want to be able to split it into smaller parts so that incomplete words are found easily.

In order to do that, we need to change the default index analysis behaviour to use an edge n-gram tokenizer which will emit “n-grams” for each word. In our example, and if we set the minimum length to be 2, “virtual machine” will give us “vi”, “vir”, “virt”, “virtu”, “virtua”, “virtual”, “ma”, “mac”, “mach”, “machi”, “machin”, “machine”.

We only need to do that at index time, not at query time. This is because we don’t want to be searching for all n-grams — it would make the query complex and we’d get back odd results. To achieve this, we need to use different analyzers for index and search.

We introduced a new field that indexes these fragments — the partialName field.

This is the updated index definition:

{
  "name": "droplets",
  "fields": [
    {
      "name": "id",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": false,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": true
    },
    {
      "name": "fullName",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": true,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": false
    },
    {
      "name": "partialName",
      "type": "Edm.String",
      "retrievable": false,
      "searchable": true,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": false,
      "searchAnalyzer": "standardCmAnalyzer",
      "indexAnalyzer": "prefixCmAnalyzer"
    }
  ],
  "corsOptions": {
    "allowedOrigins": ["https://app.cloudmaker.ai"]
  },
  "analyzers": [
    {
      "name": "standardCmAnalyzer",
      "@odata.type": "#Microsoft.Azure.Search.CustomAnalyzer",
      "tokenizer": "standard_v2",
      "tokenFilters": ["lowercase", "asciifolding"]
    },
    {
      "name": "prefixCmAnalyzer",
      "@odata.type": "#Microsoft.Azure.Search.CustomAnalyzer",
      "tokenizer": "standard_v2",
      "tokenFilters": [ 
        "lowercase",
        "asciifolding",
        "edgeNGramCmTokenFilter"
      ]
    }
  ],
  "tokenFilters": [
    {
      "name": "edgeNGramCmTokenFilter",
      "@odata.type": "#Microsoft.Azure.Search.EdgeNGramTokenFilterV2",
      "minGram": 2,
      "maxGram": 20
    }
  ]
}

It’s worth noting that when uploading data to the index, the partialName field needs to get the same data as the fullName field.

If you’d like to understand more about the above setup, it’s worth reading this page from the Azure Search documentation.

Fine Tuning Our Solution

With this setup we were getting fast prefix matching. For example, someone would type “virt” and they’d get items with the word “virtual” in their name. However, when it came to exact matches, the results were a little bit odd.

To fix that, we needed our index to treat exact matches as more important than partial matches. Azure Search exposes the idea of a scoring profile, so we can easily set up the index to give more weight to results coming from the fullName field. We choose a two to one weight ratio for fullName to partialName matches.

Here’s the updated, and final index definition:

{
  "name": "droplets",
  "fields": [
    {
      "name": "id",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": false,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": true
    },
    {
      "name": "fullName",
      "type": "Edm.String",
      "retrievable": true,
      "searchable": true,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": false
    },
    {
      "name": "partialName",
      "type": "Edm.String",
      "retrievable": false,
      "searchable": true,
      "filterable": false,
      "sortable": false,
      "facetable": false,
      "key": false,
      "searchAnalyzer": "standardCmAnalyzer",
      "indexAnalyzer": "prefixCmAnalyzer"
    }
  ],
  "corsOptions": {
    "allowedOrigins": ["https://app.cloudmaker.ai"]
  },
  "analyzers": [
    {
      "name": "standardCmAnalyzer",
      "@odata.type": "#Microsoft.Azure.Search.CustomAnalyzer",
      "tokenizer": "standard_v2",
      "tokenFilters": ["lowercase", "asciifolding"]
    },
    {
      "name": "prefixCmAnalyzer",
      "@odata.type": "#Microsoft.Azure.Search.CustomAnalyzer",
      "tokenizer": "standard_v2",
      "tokenFilters": [ 
        "lowercase",
        "asciifolding",
        "edgeNGramCmTokenFilter"
      ]
    }
  ],
  "tokenFilters": [
    {
      "name": "edgeNGramCmTokenFilter",
      "@odata.type": "#Microsoft.Azure.Search.EdgeNGramTokenFilterV2",
      "minGram": 2,
      "maxGram": 20
    }
  ],
  "scoringProfiles": [
    {
      "name": "exactFirst",
      "text": {
      "weights": {
        "fullName": 2,
        "partialName": 1
      }
    }
  }
  ],
  "defaultScoringProfile": "exactFirst"
}

Final Thoughts

Azure Search is a great service that allows engineers with not much knowledge on search technologies to implement search functionality in their apps quickly. Adding partial word matching is a bit more challenging, but hopefully this post makes it easier to understand and implement.

To see our search index in action, head over to Cloud Maker and sign up for an account today.

Azure Search: Implementing Partial Word Search was originally published in Cloud Maker on Medium, where people are continuing the conversation by highlighting and responding to this story.

The world is changing, and the rate of change is only increasing. At eight years old I remember playing my very first computer game, simple pixels that moved around the screen. I never could have believed that 28 years later I would be involved in building next generation cloud systems, including a cloud DNA analysis solution that has cut law-enforcement crime-scene DNA analysis from two days to just 90 minutes, or building an encrypted cloud communications platform to assist teams evacuating foreign nationals at the height of the Arab Spring.

The Digital Revolution ushered in incredible changes, a lot of which we couldn’t have imagined. From powering the moon landings in 1969, to enabling instant, real-time communication across 4,000 miles with the click of a mouse and tap of a keyboard, thanks to the invention of the Internet.

But instead of seeing this new technology as an untold opportunity, many people feared it. They had an inherent distrust of a technology they didn’t fully understand, and they certainly couldn’t comprehend the potential positive impact it could have on their lives.

Fast forward to 2019 and we are now at the start of the next industrial revolution — the 4th since it all kicked off in Georgian times. We’ve come a long way since the birth of factories and the dawn of the steam engine — we’re now blurring the lines between physical, digital and biological technologies. But we’re still seeing many of the same anxieties and suspicions today that existed during the 18th and 19th century transformations.

Back then it was textile workers fearing the introduction of automated textile manufacturing, whereas now autonomous cars, drones, robots — previously the domain of science fiction — conjure up terrifying images of James Cameron’s Terminator, where intelligent robots are out to destroy the human race. Or even worse, steal our jobs!

However, the reality is that cloud, AI and cyber-physical technologies are in fact solving some of the greatest and most valuable challenges faced by the human race. Deep learning algorithms can now detect potential breast cancer tumours from a mammogram with a 97% accuracy and reduce unnecessary biopsies by 30%¹. Technologies such as DeepMind’s AlphaFold are using deep learning and neural networks to solve the ‘Protein Folding Problem’ and help find a cure for diseases such as Alzheimer’s, Parkinson’s, Huntington’s and Cystic Fibrosis². And it’s not just in the medical field — automation, AI and cyber physical systems are helping us across every industry from business, manufacturing, education, transport and the environment.

Yes, automation will ultimately reshape our labour markets, but historical analysis shows that more jobs are created around these new industries than are lost due to new technologies. However, it’s not the number of jobs available, which are the concern. Rather, whether the workforce has the technological ability to do them — the reality is that as the labour market evolves, many are left behind. While this used to only apply to low-skilled jobs being automated away, the truth is that this now applies across all industries — even ones previously considered high-skilled.

Take the IT industry itself — historically the domain of highly-skilled IT engineers used to building complex physical IT systems. With the dawn of the cloud and the emergence of AI, Big Data and elastically scalable systems distributed across the globe, it’s no longer enough to be an IT Infrastructure Engineer that can build out a physical server infrastructure in a data centre. Modern IT engineers now have to have an understanding of thousands of cloud resources, and know how they go together across multiple cloud providers. Once they have designed a cloud solution from the list of cloud resources, they must then convert this to software code so it can be deployed into the cloud environment of choice.

The reality? There are very few cloud engineers in the IT industry capable of doing this³. This leaves businesses with a huge skills headache⁴ — the very best engineers command the highest salaries but are hard to find and there’s not enough of them to deliver the demand for cloud. And for those who can’t adapt their skills to the cloud, write code and deploy complex solutions, the future is bleak.

The risk of technological change is that we end up in a two-tier world — those with the knowledge, ability and means to access and benefit from the 4th industrial revolution, and those that are left behind. But it doesn’t have to be this way, and in fact the very thing that threatens to disenfranchise so many, has the ability to enable us all. If the power of the cloud, AI and cyber-physical systems can be used to augment our existing skills and capabilities, we can empower everyone.

For instance, imagine a world where the IT engineer can utilise their existing skills, and AI can translate the language of a traditional engineer into the language of the cloud. Or where AI can guide the engineer to a validated cloud solution design and help them create a functional cloud architecture diagram. What if an AI powered translation engine could automatically translate the design to code on any cloud? Imagine a world where the engineer only needs to press a button and AI will do the heavy lifting, deploying the complex cloud solution automatically.

At Cloud Maker we’re not just imagining this world, we’re making it a reality. Our vision is to contribute to a world where assistive AI enables the human race to do more, closing the skills chasm and democratising the cloud for everyone.

If you’re interested in coming on this journey with us, visit us at cloudmaker.ai

Nick Smith is co-founder and CEO of Cloud Maker and previously founded leading cloud solution provider Extrinsica Global.

[1]: MIT News. Adam Conner-Simons (October 16, 2017)
http://news.mit.edu/2017/artificial-intelligence-early-breast-cancer-detection-1017

[2]: DeepMind AlphaFold: Using AI for scientific discovery
https://deepmind.com/blog/alphafold/

[3]: RightScale 2018 State of the Cloud Report
https://assets.rightscale.com/uploads/pdfs/RightScale-2018-State-of-the-Cloud-Report.pdf

[4]: OpsRamp Cloud Skills Survey
https://info.opsramp.com/cloud-skills#top

Cloud Maker: Bridging the Divide was originally published in Cloud Maker on Medium, where people are continuing the conversation by highlighting and responding to this story.