Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Adobe's digital transformation: How microservices, containers bolster security

Chenxi Wang Founder & General Partner, Rain Capital

Containers and microservices are helping some of the most innovative software companies transform their application development processes and IT infrastructure, attaining unprecedented efficiency. Adobe, which delivers digital services and software to millions of subscribers worldwide, is going through exactly that transformation.

Adobe operates many of its services in the cloud, bundled under its Creative Cloud, Document Cloud, and Marketing Cloud umbrellas. Service uptime is critical to the business, and some services have five-nines availability requirements. And because Adobe has been making frequent business acquisitions, it needs an agile, rapid way to merge newly acquired business operations into its own.

To accomplish this, Adobe is focusing on DevOps automation and security agility. Its development teams understand the business case for and practice of DevOps, and its security team is a big proponent of DevOps principles as well.

“Automation is key," Brad Arkin, chief security officer for Adobe, recently said during his keynote address at the Container Security Summit, hosted by Google, Intel, and Twistlock. "We can’t afford to have dev and security teams that take months to go through a cycle. We are automating manual tasks across the board as much as we can, for both development and operations.” Indeed, part of Adobe’s digital transformation is modernizing the most fundamental business capability for the company: software development.

Using containers to innovate  

Microservices, containers, and continuous integration and delivery have become critical tools in Adobe's digital transformation journey. "Microservices allow us to architect applications in a way that is resilient, adaptable, and portable to almost any infrastructure. This is the only way that can help us achieve broad-scale automation,” Arkin said.

Adobe also is a big believer in continuous integration (CI) and delivery; the company is rapidly modernizing all of its software build and delivery processes onto CI and continuous delivery (CD) platforms. Adobe Acrobat Document Cloud, for instance, uses a fully automated CD pipeline. 

Considering that Arkin is ultimately responsible for securing more than a billion lines of code in the midst of Adobe's digital transformation, he's remarkably optimistic. “Despite the fact that some of these technologies have not been around for long, we are moving as fast as we can because the opportunity is so compelling,” he said. 

It's an opportunity to reduce resource costs, improve infrastructure management, and make moving services across different clouds and platforms easier. And Arkin feels strongly that the move to microservices and containers will ultimately allow his company to become safer. "Immutable infrastructure and better system manageability are positive changes to security operations that we must leverage to lower our risk profile and fundamentally change the security game," he said.  

Moving it all to the cloud

Adobe was very much a desktop software company in the late 2000s. Server utilization wasn't top of mind for operations or company finance. With the transition to delivering its products as cloud-based services, corporate finance has become “incredibly mindful of the rate of data center utilization, cloud usage, and even scaling out models,” Arkin said.

“As the CSO, part of my job is to enable the business to make changes, manage them, measure the outcome, and monetize,” he said. His vision to achieve these goals is clear: “We are committed to moving the Creative Cloud, Marketing Cloud, and Document Cloud onto the latest microservices architecture and container platforms to leverage the efficiency and flexibility these technologies bring.”

Migrating to the cloud has already enabled Arkin’s team to move its focus up the stack, from physical security to infrastructure and operations security, and ultimately to software and applications. The way he sees it, shrinking infrastructure into code has enabled his organization to better integrate secure development lifecycle (SDLC) practices into the way it manages infrastructure. And that, he says, is a vast improvement over the traditional build-your-own, box-oriented infrastructure.

Arkin sees the move to microservices and containers as an innovation opportunity for both Adobe and his team. Today, Adobe has many different development methodologies and deployment models, and as a result, a wide array of security tools. As Adobe moves to microservices and CI/CD, Arkin expects to consolidate development platforms, which he believes will lead to a more uniform security layer and, ultimately, better SDLC efficiency.

But the benefits don't stop there.

“Software will never be perfect,” Arkin said. “What you want is an infrastructure that will allow you to deploy code into a controllable, auditable, and manageable environment, where a single incident can be quickly managed and [its] impact contained in a measurable and predictable way."

Arkin sees microservices and containers as the right infrastructure for enabling this controlled compartmentalization. He added: “Another critical aspect, when you have this compartmentalization, is anomaly detection to quickly and accurately spot compromises,” he said.

Traditional anomaly detection is challenging because of the difficulty associated with assessing what a “normal” state is. Because of this, Arkin says, he is a fan of the immutable, minimalistic nature of container technologies. “With containers, in a server environment with good hygiene, you have a far better chance of defining what the baseline normal is, and therefore a better chance of succeeding in anomaly detection,” he said.

Remaining challenges 

These are just some of the bigger challenges that Adobe and other container adopters are facing. Other potential challenges enterprises may face, according to Arkin, include:

  • Robust sandboxing and segregation. Organizations need to ensure that there's robust segregation between containers or microservices components in order to prevent one compromised component from affecting others. Strong and robust isolation between containers running on the same host to limit the "impact radius" is an immediate requirement.
  • Maturing orchestration tools. The orchestration stack for microservices and containers is still evolving, and some of the more sophisticated capabilities do not yet exist. Complex deployment rules, taking into account context, identities, and application-specific information, are not yet possible with available orchestration tools.
  • Stronger role-based controls into the new stack. Some emerging technologies do not have good support for handling roles and role segregation. Richer access-control frameworks are needed to support complex business environments with DevOps-style transactions, where development and test teams are touching production environments.
  • Compliance. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), and other regulatory and compliance standards have not been translated into these new technology environments. It is not clear how an auditor today would assess a regulated application implemented in containers, for instance. Clearer definitions of compliance requirements for these new environments are needed.

“Compliance is a particularly important consideration,” Arkin said. “Standards bodies are usually silent about new technologies in the beginning. But you cannot wait for them to rework their guidance. As an innovator, you must start with interpreting how compliance requirements could be mapped to the new environments, proactively working with standards bodies  and start innovating. You can't sit around and wait."  

A perfect time to move forward

Like many IT innovators, Arkin is excited at the opportunity that containers and microservices bring. A modern development platform, immutable infrastructure, more automation, and fewer manual mistakes are just some of the benefits that Arkin and his team have seen at Adobe. "It's an exciting time for IT professionals. If you are up to trying new things, there are plenty of innovation opportunities for you to create a fundamental impact." 

Image credit: Flickr

Keep learning

Read more articles about: Enterprise ITDigital Transformation