Until recently, security was a "bolt-on" or an afterthought -- if a thought at all -- in the DevOps process. It's easy to understand why. Application development has dramatically improved in speed and quality through the adoption of DevOps, agile development and continuous deployment initiatives, while security still relies on manual processes that just can't keep up with the pace of deployment and change. This leaves DevOps teams with two options: 1) deploy applications as quickly as possible and worry about security later; or 2) slow down development and deployment cycles while security adds the necessary policies and access controls. It should come as no surprise that speed usually wins over security, and applications are often deployed before they can be fully secured.
We usually see security issues play out in the DevOps process in two ways:
- Application developers neglect to prioritize secure coding in their applications.
- DevOps teams deploy applications in the cloud without following proper security policies and access controls, or without having the appropriate skills to configure cloud security. This is why headlines, of late, have been dominated by news of cloud data breaches, leaky buckets and unauthorized access to personally identifiable information.
Ongoing security issues such as these, in combination with stringent new compliance requirements, such as the General Data Protection Regulation (GDPR), have prompted organizations to take a closer look at security in the DevOps process. Development and operations teams are moving beyond simply asking, "how can I serve up data and applications in a way that is easy for my users to consume?," to asking "how can I securely serve up data and applications in a way that is easy for my users to consume?" The answer is DevSecOps.
Benefits of DevSecOps
In the DevSecOps model, security teams are fully integrated into the DevOps process -- from design, development and code quality assurance, to deployment and support processes -- so they can embed security functions and controls throughout the application development cycle.
DevSecOps is a fairly new trend, but one that more organizations are adopting. According to FireMon's recent State of Hybrid Cloud Security Survey, 30.7% of the survey's respondent base of more than 400 information security professionals said they are part of the DevOps team, as part of the emerging DevSecOps trend. And the DevSecOps adoption rate will only continue to accelerate.
In addition to reducing risk, DevSecOps does two very important things. First, it moves security from the backburner to the forefront of DevOps initiatives, ensuring "security by design and default." In other words, security becomes part of the overall DevOps workflow, rather than being a road block or an afterthought.
Second, with the help of a policy orchestration platform, DevSecOps facilitates collaboration between development, operations and security teams. This is important because it allows all stakeholders to work together to develop security policies and establish security guardrails around application deployment that align business intent, operations intent, and security and compliance intent. Teams that once worked in isolation are now collaborating on a regular basis to strengthen DevOps security.
Automated policy management
There's one other important thing to consider when it comes to successfully executing a DevSecOps model. Policy management and security capabilities must be automated, or DevOps teams will find themselves, once again, mired in the "business demands vs. security requirements" issue.
In today's dynamic business environments, new networking technologies and development processes are implemented all the time, and user access requests are constantly changing. It's impossible for security teams to keep up with the pace of change if they're still manually writing security rules. Not to mention, these labor-intensive processes slow development and deployment, and frustrate DevOps teams.
With automated policy management, the right access controls are automatically applied to applications based on pre-defined business, security and compliance intent -- regardless of how they change or move -- so security can keep up with DevOps demands. The ability to automatically generate security rules also provides DevOps and business leaders with the ability to grant user access when needed, while remaining within the confines of defined security and compliance policies -- resulting in "self-service" security.
Security at the speed of business
DevOps, cloud computing and other digital transformation initiatives are causing business initiatives to accelerate faster than security teams' ability to security them. DevSecOps offers organizations the opportunity to break free from this vicious cycle by making security a priority, uniting all stakeholders around common security policies, and automating policy management. Only then can DevOps teams take advantage of next-gen technologies and processes without introducing added risk. And only then can security teams move at the speed of development, operations and the business.
— Tim Woods is VP of Technology Alliances at FireMon. He brings more than 20 years of security experience to his role as VP of Technology Alliances at FireMon. Tim's passion for security grew during his eight years serving the Naval Intelligence Community and continued to grow as he assumed roles at several successful security startups and at Nokia Enterprise Solutions.