This strategy may incur hidden costs that directly affect the cloud spend and security posture of an organization. For instance, resources may be orphaned, in particular POC infrastructure or temporary resources. In-flight automation work on DevOps/SecOps/SRE automation may be abandoned leaving orphaned manual tasks and creating blindspots in these practices.
Even in the case where the offboarding of resources is well handled such that all resources and tasks are either eliminated or rehomed, there may still be waste. The 2021 Flexera report estimated $14.1B of cloud waste exists. This is attributed to ~30% waste on average for enterprise level consumers. The same report concludes that 31% of enterprises spend over $12M per year on public cloud. Which means that many enterprises could save an additional $3.6M per year just by addressing this waste.
In this climate we believe good FinOps and SecOps practices are imperative for organizations to maintain velocity while operating efficiently and securely in the cloud. The good news is: one there is money to be saved and there is low hanging fruit; two DevSecOps implementations embed tooling and security culture into your SDLC workflows.
Velocity is the amount of money an enterprise is spending on the cloud and acceleration is the rate at which that spend is increasing. We propose that organizations address these two components in a variety of ways.
First, enterprises should invest in pre-paid compute with their CSP. As an example AWS customers can save 37%, using the brokerage usage.ai, with only monthly commitments. This could be a savings of approximately $0.5M if we assume that 33% of an enterprise spend is on compute. Savings as high as 50% are possible with longer term commitments to the CSP directly.
Second, enterprises should implement temporal shutdown policies for lower environments and developer machines. A simple example would be suspending the development environment and developer VMs from 9PM to 5AM, thus saving 33% of the spend on these services. Lastly, underutilized resource reporting should be implemented and all non-essential resources removed.
Organizations must also address the issue of organic growth through multiple automation channels. The best approach is to implement resource policies that allow governance of developer spend and access. This allows alerting or termination when developers violate policy as well as reducing access to costly resources without direct oversight from management.
To go after the rest of the savings organizations need deep custom analysis. The approach Callaway Cloud takes is to deeply understand your systems and make recommendations for modernization and architectural changes that will reduce the cloud spend without impacting platform performance. In addition to our recommendations we offer implementation teams to help drive change within your organization.
The Palo Alto Networks report concluded 90% of organizations cannot detect, contain and resolve cyber threats within an hour. Additionally, a large majority (78%) of organizations said they have distributed responsibility for cloud security to individual teams, but almost half (47%) said a majority of their workforce does not understand their security responsibilities.
The cost of a security breach is often immeasurable.
While the obvious repercussions from clients or loss of data/capital can be measured the impact in reputation is often far greater. With the reduction in headcount across the industry enterprises must ensure that their security posture is enforced.
The DevSecOps approach implements security gating for every part of the SDLC and CI/CD process. These gates ensure that the security posture is enforced and the integrations allow the SecOps stakeholders to continuously evaluate and report status fleet-wide. The added benefit of the DevSecOps approach is that it forces developers to be aware of security requirements in a prescribed manner and shifts security left.