Tuesday 28 July 2020

Migrating to cloud increases productivity and lowers IT costs for SMB

Interviews with nine companies examined the impact on revenue as well as how long it took to recoup the investment in the cloud platform.

idc-googlecloudreport-2.jpg

IDC interviewed nine small- and medium-sized companies using Google Cloud Platform to understand how the cloud provider influences business agility, efficiency, and productivity. 

Image: IDC


IDC analysts Shari Lava and Matthew Marden shared the findings in the new report, "The Business Value of Improved Performance and Efficiency with Google Cloud Platform." The report was sponsored by Google Cloud. Developers, analysts, and IT teams are more efficient when working on Google Cloud Platform, according to a new analysis by IDC. The researchers interviewed nine small and midsize businesses to determine the impact of the cloud platform on IT costs, productivity, and business agility.

This increased productivity and efficiency helped the companies take advantage of new business opportunities and increase revenue as well. 

Other findings include:

  • 16% higher revenue per organization per year
  • 19% higher developer productivity
  • 26% lower IT infrastructure costs

This study included interviews with nine SMBs running most of their business workloads on Google Cloud Platform. On average, the companies have 87 employees and annual revenue of $10.5 million. The interviewed businesses have IT teams with 34 staff members on average, most of whom are focused on development efforts. Seven of the nine companies interviewed for the study shared their observations in the report, including:

  • Albo: Digital banking
  • Gesto: Artificial intelligence and gesture recognition
  • Grasshopper: Digital banking
  • idwall: Identity management
  • Logically: Artificial intelligence and information overload
  • SoundCommerce: E-commerce data analysis
  • WatchRX: Wearable for older adults 

The companies were based in Brazil, the US, Mexico, the United Kingdom, Australia, and Singapore that covered financial services, software, IT services, digital health, insurance, and technology.

Here are the details of how the companies used Google Cloud to boost efficiency and agility.

Increasing efficiency on the dev team 

The IDC analysts found that businesses using Google Cloud Platform had these benefits in the development life cycle:

  • 21% faster deployments for new applications
  • 34%  faster for new features

The businesses in the report also were able to release more new features each year, going from an average of 86 features before using Google Cloud to 166 after switching to that platform.

The report authors said that these improvements reflect increased value for SMB development teams:
"For small and medium-sized businesses, it is essential that they maximize the value of these teams as they are closely linked to their ability to serve customers and their other employees, as well as compete against larger companies with more resources."

IDC found that the companies interviewed for the report had an increase in productivity for their development teams of 19%, which represents the equivalent of more than four additional development team members.

Several companies interviewed for the report said that using the Google Cloud Platform made it easier to implement more DevOps approaches to software development.

T-Kiang Tan, the chief investment officer at Grasshopper, said in the report that Google Cloud has allowed developers and researchers to be more responsive to business needs and spend less time on infrastructure issues.

"For developers, having the infrastructure available to them makes it easier for them to experiment because they don't have to worry about capacity," Tan said. "They're around 20% more productive." 

Faster response to new customer demands

They are realizing higher revenue by better addressing business opportunities and enabling faster delivery of new applications and services. Interviewed companies are competing to gain a foothold or expand their businesses in competitive markets in which they must be able to seamlessly deliver products and services to their customers.

Gabriel Prado, the chief technology at idwall, said in the report that Google Cloud allows his company to make decisions in real time because there is no lag in collecting information.

In addition to benefiting tech teams, the researchers found that end users saw benefits as well with a 53% higher level of productivity for analytics teams. 

"We used to spend a lot of time correcting data, so the data platform with Google has been a big improvement," Prado said.  

Lower infrastructure costs

The report found that IT infrastructure costs were 26% lower among the nine companies in the survey. Several study participants listed automated patching, the use of prefigured virtual machines, and autoscaling with Kubernetes Engine as key tools in optimizing IT infrastructure costs. 

Also, Roberto Gaziola Junior, chief technology officer at GESTO, said in the report that Google Cloud's serverless features are cheaper than the other cloud platforms the company considered.

"We run and then destroy virtual machines on a regular basis, so serverless saves us money," he said. 

ROI analysis 

Although many companies deal with stalled cloud projects and spend more than anticipated, IDC found that the companies in this report achieved a three-year ROI of 222% and broke even on their cloud investment in eight months.

IDC analysts used a three-step process to calculate the ROI and payback period: 

  1. Gathered quantitative benefit information during the interviews using a before-and-after assessment of the impact of using Google Cloud Platform.
  2. Conducted a three-year total cost analysis profile based on the interviews, which included additional costs related to migrations, planning, consulting, and staff or user training.
  3. Calculated the ROI and payback period via a depreciated cash flow analysis of the benefits and investments for the organizations' use of Google Cloud Platform over a three-year period.

Sunday 5 July 2020

Need of Security for Serverless Architectures

Serverless architectures (also referred to as “FaaS” - Function as a Service) enable organizations to build and deploy software and services without maintaining or provisioning any physical or virtual servers. Applications built using serverless architectures are suitable for a wide range of services, and can scale elastically as cloud workloads grow while also helping developers concentrate on writing business logic without having to manage the hosting and infrastructure.
A serverless architecture can be used to solve many different problems and use cases, for example as a backend service for a Web Application. Indeed, serverless applications are becoming very popular. However, serverless has some unique security issues. In this article, we’ll explore a few security challenges from injection attacks, and discuss the best practices to resolve them.


The following image, demonstrates the shared security responsibilities model, adapted to serverless architectures:
In serverless architectures, the serverless provider is responsible for securing the data center, network, servers, operating systems and their configurations. However, application logic, code, data and application-layer configurations still need to be robust and resilient to attacks, which is the responsibility of application owners.


The comfort and elegance of serverless architectures is not without its drawbacks.
Below are the Serverless Architectures Security Top 10 List where SAS-1 indicates the most critical risk, and SAS-10 the least critical risk:

SAS-1: Function Event Data Injection
Serverless functions can consume input from each type of event source, and such event input might include different message formats, depending on the type of event and its source. In the context of serverless architectures, function event-data injections are not strictly limited to direct user input, such as input from a web API call. The various parts of these event messages can contain attacker-controlled or otherwise dangerous inputs.

SAS-2: Broken Authentication
A weak authentication implementation might enable an attacker to bypass application logic and manipulate its flow, potentially executing functions and performing actions that were not supposed to be exposed to unauthenticated users.

SAS-3: Insecure Serverless Deployment Configuration
One extremely common weakness that affects many applications that use cloud-based storage is incorrectly configured cloud storage authentication and/or authorization. Since one of the recommended best practice designs for serverless architectures is to make functions stateless, many applications built for serverless architectures rely on cloud storage infrastructure to store and persist data between executions. With insecure cloud storage configurations, sensitive confidential corporate information to unauthorized users can be exposed. 

SAS-4: Over-Privileged Function Permissions & Roles
Serverless applications should always follow the principle of "least privilege". This means that a serverless function should be given only those privileges, which are essential in order to perform its intended logic. In a system where all functions share the same set of over-privileged permissions, a vulnerability in a single function can eventually escalate into a system-wide security catastrophe.

SAS-5: Inadequate Function Monitoring and Logging
While many serverless architecture vendors provide extremely capable logging facilities, these logs in their basic/out-of-the-box configuration, are not always suitable for the purpose of providing a full security event audit trail. In order to achieve adequate real-time security event monitoring with proper audit trail, serverless developers and their DevOps teams are required to stitch together logging logic that will fit their organizational needs.

SAS-6: Insecure 3rd Party Dependencies
Oftentimes, in order to perform a single discrete task, the serverless function will be required to depend on third party software packages, open source libraries and even consume 3rd party remote web services through API calls which can become vulnerable when importing code from a vulnerable 3rd party dependency.

SAS-7: Insecure Application Secrets Storage
As applications grow in size and complexity, there is a need to store and maintain "application secrets". Storing these secrets in plain text as environmental variables is also a common mistake where environment variables can leak and reach the wrong hands.

SAS-8: Denial of Service & Financial Resource Exhaustion
While serverless architectures bring a promise of automated scalability and high availability, they do impose some limitations and issues which require attention. We have seen a dramatic increase in the frequency and volume of Denial of Service (DoS) attacks. Such attacks became one of the primary risks facing almost every company exposed to the Internet.

SAS-9: Serverless Function Execution Flow Manipulation
Manipulation of application flow may help attackers to subvert application logic. Using this technique, an attacker may sometimes bypass access controls, elevate user privileges or even mount a Denial of Service attack.

SAS-10: Improper Exception Handling and Verbose Error Messages
Some developers adopt the use of verbose error messages, enable debugging environment variables and eventually forget to clean the code when moving it to the production environment. Verbose error messages such as stack traces or syntax errors, which are exposed to end users, may reveal details about the internal logic of the serverless function, and in turn reveal potential weaknesses, flaws or even leak sensitive data.


For all Internet-facing applications, robust security is essential.

As many organizations are still exploring serverless architectures, or just making their first steps in the serverless world, we believe that securing them is critical for their success in building robust, secure, and reliable applications. We believe it is essential to scrub all HTTP/S traffic using a unified cloud-based platform that includes a next-generation WAF, DDoS protection, advanced bot management and mitigation, API security, and much more.
However, serverless architectures raise an additional question. What about events that can trigger functions directly? For example, let’s say a Lambda function is written that will process files which are uploaded to an S3 bucket. In this case, protection is not provided, and malicious user activity could result in a security compromise because the event data does not pass through the WAF for processing.
In cases like these, a small amount of effort can provide large security dividends. Although it is convenient to allow users to trigger functions when they utilize backend services, a more optimal approach is to structure functions so that user inputs always pass through the Web Application Firewall (WAF) to examine the results of all events, and defeat injection attempts.
Taking this approach offers significant leverage. A modest effort creates a large payoff—a more robust security profile.



Home Automation Ideas

  Home automation is much more than a one-trick pony. When you build on a strong foundation, such as an Solar Panel t hat powers your whole ...