Once the company's compliance and risk mitigation activities have been solidified, the guardrails are in place to allow for cloud deployments. However, these guardrails and governance methodologies are only as good as when they were developed and implemented. Over time, as workloads are built and deployed to the cloud, a company has to re-evaluate the risk posture they originally implemented and ensure that it keeps up with the current climate. Over time, cloud vendors will release new services, which will need to be evaluated and assigned the right level of data and workloads they are suitable for. Governments and compliance bodies will continue to update or release new frameworks that organizations must follow in order to ensure the safety of customer data. All of these require quality assurance and auditing.
In this context, quality assurance is the process of systems being constantly evaluated and tested to ensure that they meet the standard originally set out in the business problem statement. In the traditional sense, this process makes sure that the code is functionally correct, lacks security and other defects, and meets the other non-functional requirements. This is no different in the cloud. However, the non-functional requirements now include additional cloud native properties. For example, cost optimization in the cloud is critical to prevent cloud sprawl and the quality assurance process should be responsible for verifying that the cloud vendor services being used are appropriate and implemented correctly. Quality assurance extends to not only the code and services, but the deployment pipeline, system availability, and even the blast radius of the distributed architecture. As discussed previously, quality assurance should also be built into the project management processes of the company so that before a workload even reaches production, it is also designed with these philosophies in mind.
Another critical component that systems need is auditability. Regardless of whether the system is within the scope of an external auditor, or only internal, this process assures accountability and traceability to identify defects and security incidents. Over time, even the best implemented systems will drift from their original architecture and security posture. This is natural and expected, as business conditions change and new functionality is implemented. What is important is that the audit process for governance, security, and compliance stays the same or is enhanced along with the system.
Deploying new business functionality doesn't mean that the security posture has to change, so performing continuous auditing of the guardrails will ensure that the drift from the original posture isn't excessive. Cloud vendors often have configuration services that take periodic views of the overall cloud landscape and store them in a digital format, perfect for auditing and comparison testing. These configuration services can usually be extended to not only get a view of the cloud landscape, but also to perform custom system-level verifications and store output alongside the cloud configuration. Through automation, these audit checks can be carried out at short intervals and then programmatically compared to ensure that nothing has been introduced into the environment that will cause drift from the required posture. Automated auditing is how mature cloud native organizations ensure that their systems are always compliant.
While quality assurance and auditing are not specifically part of the cloud native maturity model (CNMM), it permeates through all three of the axes. Mature CNMM companies are constantly evaluating new and evolved cloud vendor services that will help them to meet their business objectives more quickly and cheaply and stay within accepted risk and compliance requirements. They automate everything, including their compliance checks, auditing activities, and end-to-end deployment and quality assurance processes, so that system drift doesn't cause security problems. They focus their energy on making sure their application designs follow best cloud native practices and automate the code review to check for vulnerabilities, security gaps, cost inefficiencies, and blast radius conditions.