Migrating and updating legacy applications can be complicated, time consuming, and expensive. You’ve undoubtedly heard the noise that cloud native is the future of applications and infrastructure, but does that ring true for every business, for every workload?
Join Mirantis’ own Adam Parco, Shaun O’Meara, and Nick Chase — along with special guest Alex Williams, Founder and Publisher of The New Stack — for an informative discussion on the true business value of migrating legacy applications to cloud native. Access the full webinar on demand here.
Addressing security and compliance
Nick Chase: So what do you guys think? How can we address the security and compliance issues in this move?
Shaun O’Meara: So I think that’s one of the core things that we have to take into account with all these changes is the culture of the organizations that are dealing with us. I’m going to give a bit of a broad answer before I cut into this, but ultimately, security and compliance is a mixture of technology and people, and it’s how we apply that. The change to being able to take advantage of these technologies, these programmable nodes, being able to distribute applications and systems very widely across — you know, in the past we had big data centers with seven layers of security, everything from blast fences or track proof fences through to air-locked bomb doors in our data centers. We don’t have that necessarily anymore. I mean, a node can be an IoT device hanging off a telephone pole on a buoy in the middle of the ocean.
For me, addressing scurity and compliance is a combination of teaching and changing the culture of the way we develop applications, the way we push those applications so that everybody has a test and validate and approve process, and then using modernized tools, proper code checking, automated code checking before anything goes into production. Multiple layers of security. We can’t think of security anymore as perimeter security. We’ve got to put our security inside our applications and, in fact, start to ignore the perimeter in some ways, because if we’re relying on a perimeter, well… we’re stuffed. We could go on about this, but it’s interesting to hear what other people in the industry are doing here.
Nick Chase: What are you guys hearing about what’s happening in the industry in terms of this kind of transition?
Alex Williams: It’s the hot topic. It’s the number one topic right now. It was talked a lot about at KubeCon. There’s more security startups than I’ve ever seen before. The software supply chain is really the big question mark that people have, especially as a perimeter — one thing that has been effective is a perimeter that is now difficult enough to penetrate, that the attackers are going to where it’s easier to get inside to do their attacks. And it’s really raising questions, I think, about third party software, right? You know, and how well it’s architected.
I think this is a wakeup call to a lot of vendors out there, software vendors out there, who for a long time have just ignored, you know, it’s a financial issue more than anything. It’s like we’ve got to really serve our customer base and that’s what we developed five or ten years ago, and we can’t lose them. We can’t give up on them. And so what happens is then, you have this monolithic architecture — and I think “monolithic architecture” is a different term than “legacy architecture”, in my view at least — and the monolithic architecture, try to update that code base in any way. How do you do that? How do you version control a monolithic architectural environment? You know, it’s really hard to do.
Nick Chase: As my father would say, with much “di-fuh-kuhl-tee” (difficulty)
Alex Williams: Oh, “di-fuh-kuhl-tee”, for sure. You know, “di-fuh-kuhl-tee” is the number one issue. No, but for example, there’s a story in Wired that I read a few days ago about a hacker who found a third-party software that was really not well managed. He was able to then go around and search around universities to find who was using that. He then was able to penetrate into these university systems to be able to then get access to more. He was able to then actually get into one of Europe’s largest telcos and only because he wasn’t very smart about protecting his VPN did he finally get caught. But this is not a new story, you know, and I think a lot of the brunt of this goes on.
First of all, one thing that the pandemic has taught us is that we’ve all gotten pretty lazy. Every one of us have gone pretty dang lazy, especially in first world countries like the United States, the people have just kind of like, well, whatever, it’s my job, you know, I’m not going to pay attention to that. I think you see it in all kinds of industries and you see it in law enforcement, you see it all over the place. What I do, you know, just leave me alone.
Nick Chase: We’re all tired.
Alex Williams: Yeah, we’re all tired. Come on, come on, come on. And what happens is, that makes you extremely vulnerable, extremely vulnerable. It’s terrible.
Shaun O’Meara: You can’t let down your guard, basically.
Alex Williams: Yeah. And once you realize that you’ve let down your guard, now you’ve got like 2.5x the work to do, and that’s where we are. It’s like you’ve got to realize that we have 2.5x the work to do.
Nick Chase: That is very true. We have another question which is basically: Solar Winds is on everybody’s mind, and the question is will it drop off the radar next year? And before I kinda throw that to you guys, I wanna point out, the more things change, the more they stay the same, type of thing. You’re just telling a story about someone who went in through university and found a vulnerability and made their way into a major telco provider. I assume that this was recently, and I say I assume that this was recently because I assume that it is not the situation where I actually had a friend who did that back when we were in high school in the 1980s, and we wound up taking down a large portion of a phone network.
Shaun O’Meara: That’s a brilliant example, and I’m going to answer Alex’s question here and I’ll answer this question here. Unfortunately, as soon as it’s no longer fresh media, it’ll start to slide out of our consciousness. I think one of the big challenges, you know, the Solar Winds hack example is a great story about similar hacks happening in the Ukraine, which was a jumping off point to taking down the power networks in Ukraine. That was seven years ago, six years ago now, and there have been many published similar hacks over the years and for a while we’ll jump up. We go, “Dammit, we have to do something about this!” and then that 2.5 times workload gets in the way, and we start to think about other things and trying to move faster. We need to start to change in the culture and we need to start doing things differently and looking at security as core to what we do, especially if we’re looking at migrating applications and changing applications.
Alex Williams: I would argue the culture is changing, and it’s a question of how fast it will change and before you know it, it will transform. And I think we’re starting to see that now. For instance, with the real advancements, a start in 2012 with AI and what we saw coming out of, you know, Toronto from the technologists there, and it kind of spread around the world. The ability to remember things is not necessarily something the human mind is capable of doing, but there’s new ways for you to be able to find the patterns that can help you make decisions so you don’t let things just slide.
I think that’s kind of — that to me supports my argument that people just, you know, kind of just become complacent and you can say they become complacent because they’re relying on technology too much, or you could also say they’re complacent because they’re not relying on it enough, and they’re resistant to change. Humans have a difficult time with transition, you see it all the time. I got divorced, the transition was hell, right? From going, from being divorced through that transition. Any transition is difficult, and that’s the hardest part, I think. And I think that’s the hardest part that we’re seeing right now in a lot of different software communities.
Adam Parco: The other thing I want to add is no single person knows the entire stack anymore of their applications, right? From seeing libraries deep into kernel, right, to the kernel, to the OS, to application frameworks, to say, Kubernetes like orchestrators to the third party software add-ons, the end-to-end stack is just massive and it’s really hard to wrap that in an onion everywhere to make sure it’s secure. And then you’re also relying on many, many people, also lots in the open source world, to make sure your stuff is safe.
So I think what you were saying is — and I think this kind of speaks to it — is that we’re going to have to rely on technology and things like AI and just automation to be able to analyze and interpret and inspect, because there’s almost going to be no other way to secure it and to end when we have so many things out of our control.
Shaun O’Meara: But isn’t that a good argument for us to abstract more of their complexity to trusted organizations?
The role of open source
Adam Parco: Yeah, absolutely. It goes back to the open source thing right? No one builds entirely purely on open source because it’s just too daunting, right? You need partners to package that up and secure it, to sign it, to scan it, authorize it, distribute it, like everything else that makes open source palatable in, at least, a mass-scale enterprise organization.
Nick Chase: I think that’s what we’ve come to is a world that is, as you say, too complex for anybody to handle everything at the same time. And Alex, to your point of the fact that we now have the ability for AI to come in and recognize security threats and so on, my sort of holy grail of a system is something that is the whole “AIOps” situation, where you have systems that monitor themselves and they know what’s going on and they kind of augment the human. I don’t think anybody’s gonna – I don’t think we should replace the human element, but to kind of augment all of that I think is important, and it comes down to Alex what you were saying. Are we using the technology enough to kind of get us over that 2.5x hump so that we can do the things that we really have to do.
Shaun O’Meara: But is the questioning enough? Or is it asking the question in the right way?
Nick Chase: Good point. That is a good question. What do you think, Shaun?
Shaun O’Meara: Well, I kind of would like to get Alex’s thoughts on it, but for me, I think technology always has its place. We go back to tools, but it’s also about using the right tools. If I use a 10-pound hammer to knock a tack in, I’m going to break the thing underneath it. And I’m also creating a whole lot of complexity for myself. Whereas if I use the right tool for the right job, and I can trust that that tool is going to do the job for me, and it abstracts that complexity away, it means me as the so-called “thinking machine”, which is what a human is. We’re supposedly more creative than the machines, the AI, as smart as AI is, we’re the ones that can have leaps of imagination.
So how does the developer fit as a cog into this larger machine? Ultimately that’s about having the ideas and being creative, which means those tools we’re using have to be appropriate for the job, and if they’re too complex for us to use, then we’re not going to use them. I know it’s a sick job, but…
Nick Chase: No, no, no. I think you’re right. Alex, what do you think?
Alex Williams: One of the great learnings I’ve had over the years is just the wonder of the maker, the people who make things, the people who create things and those people come from all walks of life. They’re developers, they’re engineers, they’re writers, they’re videographers, they’re audio experts. They come from every walk of life. Those makers are the people who are always trying something new. They’re always experimenting, they’re always just seeing how something will work. They tinker. That to me, is such a fever once you get it, you can’t lose it once you get it. And I believe that those people who tinker, those people who make things, have been around for thousands of years. They’re what has helped us propel humanity forward.
That, to me, is the difference I think about AI versus not, for instance. Humanity is a very — we’re very curious. We’re very curious as a species, and we’re always trying new things. Sometimes your mind might think a little bit differently than mine and your mind might think differently than that other person who is like figuring out how to get a backdoor into the bank. So humanity comes with all kinds of, all kinds of ups and downs and in different ways and, to me, I just have to kind of put my fingers in that, you know, whether you do it the right way or the wrong way or too much one way or too much the other way, that’s just the way people work.
That’s where it really comes down to really, really great managers who know the balance there, who know, who understand that, and really take confidence and faith in the people who they work with because they hired them. They better be – if you hire the people around you and you’re not happy with them, you haven’t done your job, right?
What did Steve Jobs say? He said I hire someone not for me to tell him what to do, I hire them for them to tell me what to do. And I think both the rejoicing I have in free open source software — I know you don’t like the term “free” Shaun — but I think you know that it’s an open source offer. I’d better be careful what I say.
Shaun O’Meara: I’m gonna have to get on my soapbox again, mate.
Alex Williams: But if you look at open source software, and just the community of the commons, it’s both wonderful, but it’s also fragile too.
Shaun O’Meara: Yes.
Alex Williams: And when we mess with the fragility of longstanding systems, that’s when you will start to have a breakdown. It’s okay to critique it and understand it, but when you start to try to subversively get underneath it and change it, that’s when the problems happen. But that’s humanity too, and so I just love good managers. I think good managers really are the ones who can help us kind of channel that creativity and that energy to find ways that will work for the organization, whatever one you’re talking about.
Shaun O’Meara: I think it’s an incredibly important point. It’s the collaborative nature of what we’re doing with open source, the collaborative nature with this new way of work. And one thing humans, despite some of the media noise to the contrary, we’re actually bloody good at collaborating, across many boundaries, and ultimately taking advantage of new systems means we have to collaborate. We may be doing it explicitly with people or implicitly with APIs, but that’s a form of collaboration in its own right. And that’s what, to me, open source is. It’s about that community of collaborating. And I think that’s a very powerful idea when we start talking about moving from this old monolithic world to a more distributed world.
More on Legacy Migration
If you would like to continue watching, you can view the full webinar recording on demand. More installments of Cloud Native & Coffee will be coming soon. Please keep an eye on our upcoming webinar schedule to save your seat for the next session.
If you have additional questions regarding legacy application migration and modernization, don’t hesitate to contact us. Our support and sales teams are standing by to help.