Integrating DevOps and Security
March 21, 2019
With the cloud, enterprises gain operational and management advantages of agility, scalability, and ease of use. The cloud also enables IT teams to apply continuous integration/continuous deployment (CI/CD) methods to deliver applications and functionality rapidly. To capitalize on the capabilities of the cloud, many organizations are turning to a development and delivery methodology known as DevOps.
Speed is the essential component of DevOps and it’s what enables an organization to be more responsive to customer and market needs and deliver innovation continuously. With DevOps as a discipline, organizations can iterate and deploy new functionality and fixes, and get them in front of users quickly.
While DevOps emphasizes speed, it has not always necessarily focused as much on security. Yet, speed can have a negative impact on the precautionary details required to maintain a rigorous security posture across an organization’s cloud environment. There is a major need to integrate the needs of DevOps and the discipline of security (SecOps); currently they coexist, but with some tension between the goals of both.
Yet, achieving the respective goals of security and DevOps doesn’t have to be a zero-sum game. In fact, what’s needed is an approach that integrates the need for rapid CI/CD with cloud security controls and policies so that data and resources are put to work effectively, but also securely.
These three key practices are critical to integrating the processes and mindset of DevOps and SecOps:
Embed Security Into the Development Process
Some organizations take a scheduled approach to security; they see it as a series of items on a checklist to be audited regularly for errors and vulnerabilities. For a modern enterprise in the cloud, that’s going to leave gaps which could result in vulnerabilities.
Security efforts have to be baked in to the culture of the organization and treated as an integral part of the entire IT, product, and engineering processes. Besides using best practices that apply security controls to your code and resources, teams have to build in automated security checks as systems operate in production. Even when apps and systems are designed with security in mind from the outset, and all of the appropriate security assessments are conducted throughout development, security mishaps can slip through and configurations can inadvertently change. To stay secure, enterprises have to engage in continuous security and regulatory compliance monitoring on systems in production.
Use Automation as a Component of Security
There are so many advantages to be had when using DevOps, and it would be counterproductive for security measures to limit it. With cloud deployments and application development moving rapidly, app features evolving daily, configurations changing and workloads shifting, there’s no way to manually keep up with ensuring that security is appropriately applied. Automation, however, can be used as a way to embed security into DevOps practices. Most developers are already familiar with the concept of automation for scripting, coding, and simplifying complexity, and security in the cloud can operate in the same way.
Security functions differently than code, but the processes that govern it can be accessed through scripts and APIs, as opposed to specific toolsets. With the cloud environments making use of microservices architectures and using DevOps to support development and deployment, many aspects of security are now programmable.
Integration and deployment pipelines can easily be adapted to take advantage of automated quality assurance and the application of security controls as part of the development workflow. But as resources get added to cloud environments and connections increase across more applications, there’s an enhanced need for continuous insight, testing, and remediation of settings, policies, controls, signatures, and other elements that make up an organization’s security posture.
Establish Common Ground
Integrating DevOps and security requires cultural changes among these groups; a blend of the two must be created while still allowing for teams to accentuate the positives of their respective team. The goal should be that developers, operations teams, IT leadership, QA, and security, apply security controls and best practices throughout all aspects of development and management, all while respecting the goals of rapid development, deployment, and iteration. When the different groups understand the others’ goals, they can develop processes that support them.
It may seem rudimentary, but most important for success is communication and empathy regarding the needs of others. Some of that happens through smart communication and an agile working environment that allows teams to continuously improve processes and operational workflows. It’s also important to use the right incentives and KPIs to encourage change in how different groups approach this new integrated DevOps/security style of operating.
By design, cloud environments are dynamic. Everything happening to push code and make it safe is happening in the midst of different types of workloads, a dizzying array of connections, and a growing surface area that presents more and more endpoints. Considering aggressive timetables and delivery deadlines, it’s easy to let the discipline required for security slip. In the midst of highly-connected, fast-moving and changing cloud environments, letting security slip is just something that enterprises simply can’t afford to let that happen. To succeed, enterprises must have the processes and technology to properly secure the assets and data that are critical to their success.