The integration of DevOps and security
The cloud offers so many advantages for DevOps, but it comes at a cost. In this article, John Martinez explains why security needs to be a priority for all DevOps teams.
The cloud delivers to enterprises operational and management advantages by being agile, user friendly, and optimized to scale. It also enables IT teams to apply continuous integration/continuous deployment (CI/CD) methods to deliver applications and functionality more rapidly. By using the development and delivery methodology known as DevOps, the entire organization can be more responsive to customer and market needs and deliver innovation continuously.
Speed is the essence of DevOps; the idea is to iterate, iterate, iterate, and get fixes and new features in front of users quickly. And while not necessarily the adversary of security, speed can have a negative impact on the precautionary details required to maintain a rigorous security posture across an organization’s cloud environment. Certainly there exists some tension between the goals of both disciplines, but achieving their respective goals doesn’t have to be a zero-sum game. In fact, what’s needed is an approach that integrates the need for rapid CI/CD with cloud security controls and policies so that data and resources are put to work effectively, but also securely.
Build security into the fabric
Some organizations approach security as a checklist to be audited regularly for errors and vulnerabilities. For a modern enterprise in the cloud, that’s not going to cut it. Security efforts have to be baked in to the culture of the organization and emphasized as an integral part of the entire IT, product, and engineering processes. Besides using best practices that apply security controls to your code and resources, teams have to build in automated security checks as systems run in production. Even when apps and systems are designed with security in mind from the outset, and all of the appropriate security assessments are conducted throughout development, security gaffes slip through and configurations change. To stay secure, enterprises have to engage in continuous security and regulatory compliance monitoring on systems in production.
Make automation your ally
There are so many advantages to be had when using DevOps, and it would be counterproductive for security measures to limit it. With cloud deployments and application development moving so rapidly, app features evolving daily, configurations changing and workloads shifting, there’s no way to manually keep up. Thankfully there’s a way to embed security into DevOps practices is automation. Most developers are already familiar with the concept of automation for scripting, coding, and simplifying complexity, and security in the cloud can operate in the same way.
Security functions differently than code, but the processes that govern it can be accessed through scripts and APIs, as opposed to specific toolsets. With the cloud environments making use of microservices architectures, and using DevOps to support development and deployment, many aspects of security are now programmable.
Integration and deployment pipelines are perfectly suited to automate quality assurance and the application of security controls as part of the normal development workflow. But as resources get added to cloud environments and connections increase across more applications, there’s an enhanced need for continuous insight, testing, and remediation of settings, policies, controls, signatures, and other elements that make up an organization’s security posture.
Find common ground
Integrating DevOps and security requires cultural changes among teams, but is essential to blend the needs of both. The goal should be that developers, operations teams, IT leadership, QA, and security, all embed security as a priority throughout all aspects of development and management. There are best practices that are unique to both DevOps and security; some of those can be shared and some are meant to be separate, but when the different groups understand the others’ goals, they can develop processes that support them.
It may seem rudimentary, but most important for success is communication and empathy regarding the needs of others. Some of that happens through smart communication and an agile working environment that allows teams to continuously improve processes and operational workflows. It’s also important to use the right incentives and KPIs to encourage change in how different groups approach this new integrated DevOps/security style of operating.
Cloud environments are dynamic. Everything happening to push code and make it safe is happening in the midst of different types of workloads, a dizzying array of connections, and a growing surface area that presents more and more endpoints. Considering aggressive timetables and delivery deadlines, it’s easy to let the discipline required for security slip. But with today’s hyper-connected world, and fast-moving and changing cloud environments, letting security slip for even a moment is just something that enterprises simply can’t afford let happen. To succeed, enterprises must have the processes and technology — and most certainly the people — in place to keep systems adequately secured.