DevOps et temps d'exécution : l'automatisation au service de la sécurité
31 mai 2019
DevOps teams are driven by a constant need to develop, integrate, push, and innovate. IT consumerization is now essential for organizations who want to respond quickly to market demands, and it’s increasingly a critical element of competitive differentiation and market viability. It’s because of this that DevOps teams are adopting modern aspects of development, including microservices, and container orchestration through containers.
The burgeoning demand for speed — along with the potential for cost savings — are also driving DevOps’ growing reliance on cloud services. The adoption of DevOps and cloud services increased to 74% in 2018 and continues it’s rapid acceleration into 2019 and beyond..
The acceleration of development also has a downside — security and compliance can often be overlooked in the name of speed. But speed can be a killer when it comes to security posture because adherence to best practices and attention to anomalies are given a low priority, or even totally ignored. For DevOps teams, automation of security principles is essential to enable them to move fast while integrating security into their processes.
What’s the balance of speed vs. security? Well for starters, that’s the question that’s often asked, and it’s the wrong question. Pitting security as the enemy of speed is going to always give short shrift to security. That’s because you can see speed, but you can’t see security. You can only see when security doesn’t work, and when that happens it’s too late.
The sad reality is that many DevOps teams eliminate their involvement in normal IT channels when they deploy services to the public cloud. This is quite often the expected process, as the business values speed and enables a different set of build-time operations that do not necessarily meet the same standards as run-time operations.
Yet, as evidenced by attacks on infrastructures operating in the public cloud, we know there is a lack of coordination between SecOps and DevOps teams. This is counterproductive and harmful, yet too many look at the outcomes rather than the root causes.
DevOps teams are smart enough to understand the need for security, but also recognize that human intervention is a time-killer. To be sure, stopping for security evaluations and testing WILL slow the delivery of new services and features to customers who are hungry for innovative change if the team relies on standard types of intervention. The answer to the integration of security and build-time lies in automation.
With automation, DevOps teams can apply and automate the use of best practices in their operations. Automation enables security to be deployed and enforced without any impact on the speed, accuracy or quality of the work being done by development teams. Ultimately, automation enables continuous security and compliance to support continuous development.
The application of security on the left side of the application continuum helps developers avoid issues that, further down the road, could create bugs and delays. Yet it also eliminates much of the stress and inherent tension between DevOps and SecOps. The result is an organization-wide approach that benefits all who participate and are responsible for the security and compliance of their data and operations. This includes:
- DevOps teams are able to deploy products and services that have been developed with a lense of security over them. Using the visibility and threat detection of a security platform, they can identify unexpected risks and threats much earlier in the development cycle. This also provides them with a greater understanding of where issues happen so they can create processes that eliminate them in the future. DevOps teams can rely on built-in security protections that are already blessed by the organization, which accelerates their development cycles.
- Security leaders will learn more from the results of anomaly detection and will benefit from continuous security and compliance in a way that gets them out of reactive mode and takes more control over DevOps and other IT operations. With some organizations pushing increasingly massive numbers of fixes and changes into production every day, security has to provide a way to monitor, detect, and alert. Complete, continuous security and compliance delivered with automation is the most effective way to do this.
- The business is ultimately the biggest beneficiary of this modern approach. The dev process is accelerated, quality is improved, and compliance is monitored and addressed before it becomes a problem. Rather than accepting the inherent tension between DevOps and security teams, the business benefits from faster delivery, more security production, and an established place in their respective market.
With a complete, modern security platform that has been designed specifically to meet the challenges of public cloud environments in both build-time and run-time operations, organizations can take advantage of a security-first model that enables continuous visibility, automation, and the ability to move fast. This will not only strengthen security, it will provide compliance and DevOps teams with the tools and processes they need to successfully meet the requirements of the cloud era.