By Anders Wallgren
Information security and compliance are critical to businesses across the globe, especially given past examples of data breaches and looming cybersecurity threats. Yet InfoSec has long been thought of as the group that slows things down, the wet towel to your DevOps efforts, often requiring a more conservative approach as a means of mitigating risk. Traditionally, DevOps has been viewed as a risk by InfoSec teams, with its increased velocity of software releases seen as a threat to governance and security and regulatory controls (which, by the way, often require the separation of duties, rather than the breaking of silos).
Despite some initial pushback, enterprises that have taken the DevOps plunge have shown consistently that DevOps practices actually mitigate potential security problems, discover issues faster, and address threats more quickly. This has led to a faster rate of adoption in the InfoSec space of automation and DevOps practices. DevOps is increasingly viewed as the security blanket that enables and enforces security, compliance, and audit requirements, making DevOps a resource for InfoSec rather than a threat.
As a philosophy, DevOps focuses on creating a culture and an environment in which Dev, QA, Ops, the business itself, and other stakeholders in the organization work in collaboration toward a shared goal. We now see DevOps evolving to DevSecOps, with InfoSec aligning with your DevOps initiatives and security requirements becoming a key tenant of DevOps practices and benefits.
How DevOps facilitates security and compliance
DevOps provides a huge opportunity for better security. Many of the practices that come with DevOps, such as automation, emphasis on testing, fast feedback loops, improved visibility, collaboration, consistent release practices, and more, are fertile ground for integrating security and audit capability as a built-in component of your DevOps processes.
DevOps automation spans the entire pipeline, from code development and testing to infrastructure configuration and deployment. When done right, DevOps enables you to:
- Secure from the start. Security can be integrated from the early stages of your DevOps processes, and not as an afterthought at the very end of the software delivery pipeline. It becomes a quality requirement, similar to other tests run as part of your software delivery process. Just as CI enables “shifting left” by accelerating testing and feedback loops to discover bugs earlier in the process and improve software quality, DevOps processes can incorporate automated security testing and compliance.
- Secure automatically. As more and more of your tests and processes are automated, you have less risk of introducing security flaws due to human error, your tests are more efficient and you can cover more ground, and your process is more consistent and predictable. So if something does break, it’s easier to pinpoint and fix.
- Secure throughout. By using tools that are shared across the different functions (especially with an end-to-end DevOps automation platform that spans development, testing, ops, and security), organizations gain visibility and control over the entire systems development life cycle, making the automated pipeline a closed-loop process for testing, reporting, and resolving security concerns.
- Get everyone on the same page and pipeline. By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy their updates, InfoSec becomes a key component of the delivery pipeline and an enabler of the entire process (rather than pointing fingers at the very end).
- Fix things quickly. Unfortunately, the occasional security breach or vulnerability might come up, requiring you to act quickly to resolve the issue (think Heartbleed, for example). DevOps accelerates your lead time, so that you can develop, test, and deploy your patch/update more quickly. In addition, the meticulous tracking provided by some DevOps platforms into the state of all your applications, environments, and pipeline stages greatly simplifies and accelerates your response when you need to release your update. When you know exactly which version of the application, and all components in its stack, is deployed on which environment, you can quickly pinpoint the component of the application that requires the update, identify the instances that require attention, and quickly roll out your updates in a faster, more consistent, and repeatable deployment process by triggering the appropriate workflow.
- Enable developers while ensuring governance. DevOps emphasizes the streamlining of processes across the pipeline to have consistent development, testing, and release practices. Your DevOps tools and automation can be configured to enable developers to be self-sufficient and “get things done,” while automatically ensuring access controls and compliance. For example, as a resolution to the growing “shadow IT” phenomenon, we see a lot of organizations establishing an internal DevOps service for a dev/test cloud, with shared repositories, workflows, deployment processes, etc. This allows engineers on-demand access to infrastructure (including production), while automatically enforcing access control, security measures, approval gates, and configuration parameters, all to avoid configuration drift or inconsistent processes. In addition, it ensures that all instances across all environments, no matter whether in development, QA, or production, are identified and tracked and that they are operating within preset guidelines and can be monitored and managed by IT.
- Secure both the code and the environments. By creating manageable systems that are consistent, traceable, and repeatable, you ensure that your environment is reproducible and traceable, and that you know who accessed it and when.
- Enable one-click compliance reporting. Automated processes come with the extra benefits of being consistent and repeatable, with predictable outcomes for similar actions and tests, and they can be automatically logged and documented. Since DevOps spans your entire pipeline, it can provide traceability from code change to release. If you have a DevOps system you can rely on, auditing becomes much easier. As you’re automating things, from your build, test cycles, integration cycles, deployment, and release processes, your DevOps automation platform has access to a ton of information that is automatically logged in great detail. That, in effect, becomes your audit trail, your security log, and your compliance report, all produced automatically, with no manual intervention or requirement to spend hours backtracking your processes and actions to produce the report.
- DevSecOps enables organizations to achieve speed without risking stability and governance. Security and compliance controls should be baked in as an integral part of DevOps processes that manage the code being developed all the way through to production. By implementing DevOps processes that incorporate security practices from the start, you create an effective and viable security layer for your applications and environments that will serve as a solid foundation to ensure security and compliance in the long run, in a more streamlined, efficient, and proactive way.
This article appeared first at Electric Cloud on 02/17/2016 and was reposted by Your Daily Tech with permission by the author.
Anders Wallgren is chief technology officer at Electric Cloud. Anders has over 25 years’ experience designing and building commercial software. Prior to joining Electric Cloud, he held executive positions at Aceva, Archistra, and Impresse and management positions at Macromedia (MACR), Common Ground Software, and Verity (VRTY), where he played critical technical leadership roles in delivering award winning technologies such as Macromedia’s Director 7. Anders holds a B.SC from MIT.