Introducing Evolve PavedCloud, a secure public cloud that could accelerate your digital transformation
At DBS, the cloud is a fundamental criterion and enabler of our digital strategy to make banking joyful for customers with the ability to access on-demand capabilities, close to unlimited resources, new technologies, and services which are unavailable in traditional data centres. This is done so in an accelerated manner, allowing us to innovate and experiment rapidly as and when necessary, while optimising cost in a way that was traditionally not possible. Cloud enables rapid iterations of an idea without hefty upfront investments.
However, the shift to a cloud-native infrastructure and the relentless drive to innovate faster increases complexity and invariably introduces potential security weaknesses that push traditional security approaches to the limit.
To keep pace with the regulatory and industry security requirements, and to rapidly scale our cloud use, we designed PavedCloud, a developer-first continuous delivery engine for secure public cloud adoption.
The reality of public cloud adoption
Public cloud opens the door to harnessing infra and platform-level services and leveraging cutting-edge technologies such as serverless, artificial intelligence, advanced data analytics, and machine learning. However, it also represents a radical shift from the perspective of cybersecurity and necessitates a paradigm shift from perimeter security to service protection.
Though the public cloud provider is responsible for the security of the cloud, organisations ultimately bear the responsibility to secure their applications in the cloud. And as any developer would tell you, the portion that the business is responsible for is by far the most targeted and exploited by bad actors.
Potential weaknesses may stem from misconfigurations. A lack of controls and oversight, human errors, insufficient expertise of individual developers, or inconsistent policies across the software development lifecycle are often credited as the leading cause of cloud breaches. These issues pose a barrier to the general adoption of public cloud, especially for a bank like DBS where security is a top priority.
PavedCloud mitigates many of the above threats through controls that align with the industry and bank’s security standards, as well as architectural patterns that adopt best practice designs, to operate on public cloud securely and rapidly. The result is a consistent, enterprise-wide orchestration that supports agility at scale on the public cloud while meeting compliance and security standards.
Paving the way to a secure cloud
Conceptualised and built by our developers, PavedCloud provides a standard way to codify infrastructure and shorten the time-to-market. Designed as a reusable solution, it abstracts away the complexities that application teams would otherwise have to address individually, while ensuring repeatable secure deployments to avoid technical debt.
Using the Paved Road methodology, we ensure security, compliance, and quality by design with end-to-end view on governance, providing curated and tested implementations of solutions to common threats. By integrating cloud security enforcement, infrastructure automation, and compliance detection, with guardrails to provide end-to-end coverage from threat prevention (before provisioning) to detection (after application deployment), and with infrastructure-as-code, application teams have full control over how they deploy without relying on secondary personnel, improving their time to market.
From a development perspective, developers choose from a collection of Service Packages (ServPack) that lets them access cloud services in a secure and compliant manner, architected to drive business outcomes. Of course, developers would first have to familiarise themselves with the ServPacks, learning how they work and how to use them, and ensure they have the necessary ServPacks required for whatever it is that they are developing.
In return, they benefit from advantages such as default controls that enforce industry-wide security standards, reducing the chances of misconfiguration. And because developers interact directly with PavedCloud instead of the public cloud, they avoid the steep learning curve inherent to having to master a new cloud platform. Moreover, ServPacks offer a consistent interface to develop new applications and serve as an immutable infrastructure for secure deployments.
PavedCloud was built out of necessity when we embarked on our public cloud journey in 2017. The initiative grew quickly and has since evolved into a full-fledged delivery engine that is now a key platform for developers at DBS. While there are many products that either focus on orchestration, security, or operations in the market today, PavedCloud remains unique in that it combines all three; there is nothing similar that is readily available.
Compliance by design
So how does a ServPack ensure compliance by design? A ServPack for a general compute instance, for example, comes with various services already aligned to DBS’ architectural standards for the best outcomes. It also contains our codified compliance controls, allowing our developers to quickly leverage them to develop the services they are tasked to build.
Similarly, a relevant ServPack is available for developers to easily implement advanced features such as load balancing and autoscaling. There is no need to manually code them — developers simply need to implement the applicable ServPack in their platform definition, and code their applications as usual.
We do pre-emptive threat modelling to identify risks associated with each cloud service and its potential for misconfiguration. For the latter, we define controls to prevent or mitigate misconfiguration risks. You might recall how multiple organisations experienced data leaks through misconfigured Amazon S3 buckets (S3 buckets are now private by default). With PavedCloud, we have already identified this in our threat models and implemented the appropriate controls to prevent misconfigurations and protect our users against external threats.
Threat modelling isn’t a one-time process, but rather part of our continuous maintenance of PavedCloud that’s incorporated into our process flow. As cloud providers launch new features and update their services, these are continually assessed to ensure they stay compliant in PavedCloud.
The road ahead
With its plug-and-play reusable architecture, PavedCloud helps our application teams increase their productivity as they no longer need to engineer their applications from scratch. It also insulates them from the constant changes in the public cloud space and greatly reduces the learning curve for new public cloud platforms. And with a more efficient ratio of cloud infrastructure engineers to supporting systems, engineers can now concentrate on higher-value work to drive innovation.
Today we have over 60 applications in production that run on PavedCloud. We plan to continue our work to keep PavedCloud up to date, not just with new features and controls as they are released by public cloud providers, but also with new controls for newly identified threats. On this front, all changes are automatically inherited when development teams deploy their existing applications for seamless upgrades.
We have every intention to keep using PavedCloud and expanding its support for cloud platforms would allow us to integrate multiple clouds. We are also mulling over how we can engage and collaborate with the broader tech community in the development of PavedCloud.
With the common objective of capitalising on the benefits of cloud to boost productivity in the shortest time possible, PavedCloud is made possible by the talented developers in our employment with areas of specialisation in infrastructure knowledge, platform architecture, and application development.
The cloud landscape continues to evolve at a breakneck pace, and we look forward to further tapping into the innovations and capabilities of the public cloud. It is an exciting time to be working on cloud technologies, and we are always on the lookout for new talents to solve new problems and help us along in this endeavour.
Keith De Silva is the Executive Director and Product Owner of Evolve PavedCloud at DBS Bank, delivering value and driving business outcomes for the bank using public cloud.
