Software Requirements: FAST. GOOD. CHEAP. Choose any two…
When I started my career as an engineer, that was a joke we used to kick around. That was at a time when development projects ran into multiple quarters and often relied on layers of project managers to keep other projects managers honest, so those project managers could keep developers on schedule, and within the project requirements. There were times when it was chaos, but amazingly, we built some amazing things.
In today’s development environment, the joke is far less relevant; with innovative technology and modern methodologies, fast, good, and cheap actually defines the new model. DevOps has given us a model for speed, the idea of “good” is supported by a market that is fairly efficient at driving out poorly developed software, and open source and mass proliferation of APIs are providing a cheaper model for development. But nothing can ever really be perfect in software development, right? Well, there IS something still usually missing in this equation – security.
As we’re increasingly seeing, speed is a competitive advantage, and if software is eating the world, then speed is fueling its insatiability. DevOps teams are now both reflecting and defining business models as they operate in a continuous cycle of development, integration, deployment and innovation. The ability to operate like this means that organizations can be far more responsive; if they’re responsive, they can meet business demands quickly and move ahead of those who lag. Especially in light of the consumerization of IT, speed defines the platforms used to build as well as the operations and data that function in runtime. Microservices, container orchestration, virtualized machines; these and other tools have created an entire industry to support the fast, continuous development approach.
Speed no Longer Inhibits Security
The result of fetishizing speed is that apps and other resources get pushed faster into runtime, but that data is also the by-product of what happened during development. Lacework has been primarily focused on the activities in runtime, whether they are happening in a cloud, on-premises, hybrid, or any type of environment. Our emphasis has always been about continuous and automated anomaly detection through deep visibility into all that activity. Misconfigurations, anomalous behavior, host intrusion detection – these and other use cases defined the approach to identifying security issues so they could be understood with helpful context and ultimately fixed rapidly.
Today we announced that our security approach and coverage now encompasses the entirety of an organization’s development and runtime operations. The Lacework Complete Security Platform is shifting left to provide complete security and compliance visibility across the entirety of an enterprise’s infrastructure footprint — from development to runtime, and for cloud, container, bare metal, and hybrid environments. This means that organizations are able to apply not just the concepts of security throughout the development and delivery lifecycle, but now have a platform on which all activity can operate because it is continuously looking for any and all behavioral abnormalities, irrespective of where they live, to identify issues.
Integrating DevOps Into the Security-Based Approach
Shifting left is borne from the reality that many DevOps teams eliminate their involvement in normal IT channels when they deploy services to the public cloud. This is quite often the expected process, as the business values speed and enables a different set of build-time operations that do not necessarily meet the same standards as run-time operations.
Yet, as evidenced by attacks on infrastructures operating in the public cloud, we know there is a lack of coordination between SecOps and DevOps teams. This is counterproductive and harmful, yet too many looks at the outcomes rather than the root causes.
Vulnerable vs Vulnerabilities
Tracking vulnerabilities is critical pre-deploy but what you really want to know is are you vulnerable. To us, this means that you are combining the latest vulnerabilities with your risk and exposures in your infrastructure. If you have a vulnerability that is open to the world that is a lot different than one that is sitting pre-deploy in your image repository. Then if you get exploited you REALLY want to know not only how did it happen but what else did they do.
As the lines between development and runtime overlap more and more, and because there is such a heavy reliance on the speed and output coming from DevOps, security has to operate at every point where data is created, transacted, integrated, and applied. Anything pushed into production that has a vulnerability creates the potential for a security issue later. Catching it while it’s being created delivers demonstrable value because it reduces the burden on security operations teams and increases the availability of services.
As we can see in this representation of the Lacework platform, this is a complete approach. It’s not “unified” as many vendors are trying to deliver. We have not pulled together functionality from various sources of IP, nor are we getting into areas where we have no expertise. Rather, we’re applying the underlying technology on which we built Lacework to extend our security visibility and detection capabilities across everything an organization’s infrastructure and data touch.
Figure 1. Lacework Complete Security Platform
A Complete Security Platform
By extending security to the left side of the application continuum, developers participate in their organization’s security approach; automation gives them the ability to actively contribute to effective security without placing constraints on speed or agility. The result is an organization-wide approach to the security and compliance of data and operations. This means:
- Development teams can deploy services that have been developed with the discipline of security automatically embedded in their innate processes. Using the visibility and threat detection of a security platform, they can identify unexpected risks and threats much earlier in the development cycle. This also provides them with a greater understanding of where issues happen so they can create processes that eliminate them in the future. DevOps teams can rely on built-in security protections that are already blessed by the organization, which accelerates their development cycles.
- Security teams will learn more from the results of anomaly detection and will benefit from continuous security and compliance in a way that gets them out of reactive mode and takes more control over DevOps and other IT operations. With some organizations pushing increasingly massive numbers of fixes and changes into production every day, security has to provide a way to monitor, detect, and alert. Complete, continuous security and compliance delivered with automation is the most effective way to do this.
- Business teams are ultimately the biggest beneficiary of this modern approach. The dev process is accelerated, quality is improved, and compliance is monitored and addressed before it becomes a problem. Rather than accepting the inherent tension between DevOps and security teams, the business benefits from faster delivery, more security production, and an established place in their respective market.
With Lacework’s complete, modern security platform that has been designed specifically to meet the challenges of public cloud environments in both build-time and run-time operations, organizations can take advantage of a security-first model that enables continuous visibility, automation, and the ability to move fast. This will not only strengthen security, but it will also provide compliance and DevOps teams with the tools and processes they need to successfully meet the requirements of the cloud era.