Everybody wants to do DevOps right, and part of that equation is making sure applications and services remain secure even as development and integration transition to a continuous workflow model.
But chaos, even the controlled chaos of DevOps, poses a particular challenge to security. It opens up too many attack vectors and introduces too much uncertainty into what is now a very staid, stable data environment. When everything, even infrastructure, is defined and managed as code, security requires an equally radical makeover in order to remain relevant in an increasingly insecure world. The question is, how best to do that?
One of the main problems with DevSecOps, as it has come to be called, is making sure security capabilities can scale to the same level and at the same pace is the applications themselves. According to a recent survey by CA Technologies, only 20 percent of top business executives think their security testing is up to the demands of continuous integration/continuous deployment (CI/CD) and only a quarter feel they have an adequate means of security testing. Among organizations that are furthest along on the transition to DevOps, however, there is recognition that security must be implemented early in the development process – a practice known as “shift left” – and it must remain a core element throughout the entire product lifecycle. In doing this, security becomes not just a means of protection but an enabler of new business opportunities.
This is not as easy as it sounds, however. A particularly thorny problem is implementing security on top of multiple open source components that are increasingly finding their way into the DevOps pipeline. In another survey, this one by CA Veracode, only about half of all developers in the UK, U.S. and Germany regularly update open products to the most secure version. This is significant because more than 80 percent of developers use a combination of commercial and open components in their projects, with an average of 73 per application. To counter this, organizations need to adopt robust security policies and provide the means for developers to make informed decisions about their security needs.
But regardless of how security is integrated into DevOps, what changes to actual security capabilities or processes are needed to protect data in such a fluid, free-wheeling environment? IDC says that with deep integration now the order of the day, organizations must take a new approach to prevent a breach of one system from cascading to others. To that end, the firm is targeting its research efforts at AIRO – Analytics, Intelligence, Response and Orchestration. By improving these four capabilities, IDC says the enterprise stands a far better chance of building native security into the repeatable, automated process that DevOps will launch into the cloud.
Indeed, any organization that thinks its on-premises security measures will provide affective coverage in the cloud is in for a rude awakening. A recent survey by Sumo Logic reveals that few enterprises have the ability to extend effective visibility into the cloud or to investigate security and compliance threats for applications in the cloud. What’s needed, the company says, are entirely new classes of converged operations and security solutions that not only integrate application insight with infrastructure defense, but function up to 10 times faster than current measures and operate on a dramatically smaller resource footprint. This will require not just new security tooling, but organizational changes aimed at improving collaboration between IT and security functions and promoting cross-team contextual workflows to improve threat resolution.
DevOps is aimed at making business faster and more responsive to customer demands. This it can do in spades, but it will all be for nothing if it leads to even greater data breaches than we’ve seen in recent years and the inevitable mistrust that will ensue of all things digital.
While it is tempting to reach for the ripest fruits on the DevOps tree right away, it is important to remember that a solid foundation of safety and security is the only way to ensure you can continue harvesting those rewards well into the future.
Arthur Cole writes about infrastructure for IT Business Edge. Cole has been covering the high-tech media and computing industries for more than 20 years, having served as editor of TV Technology, Video Technology News, Internet News and Multimedia Weekly. His contributions have appeared in Communications Today and Enterprise Networking Planet and as web content for numerous high-tech clients like TwinStrata and Carpathia. Follow Art on Twitter @acole602.