Security from the start: Using DevOps for secure collaboration
- By Bill Annibell
- May 23, 2016
The 21st century has ushered in the age of software. Not only being leveraged to develop applications, software now defines how we interact with hardware resources within the private cloud and our own datacenters, networks and infrastructures. The potential speed at which systems and applications can be deployed is inhibited only by our own organizational cultures.
An overarching approach that emphasizes lean principles, collaboration and communication among various IT and business staff, DevOps heavily automates software delivery and infrastructure changes. Considered a path and not a destination, DevOps is now becoming an option for government agencies to execute effectively and efficiently.
Although rugged security was established as one of the original pillars of the DevOps process, cybersecurity is rarely discussed as part of a DevOps transformation initiative. Likewise, the increasing rate of data breaches indicates that security is still often bolted on after deployment rather than integrated into the development, operations and maintenances processes. However, organizations can move from a reactive to a proactive security posture by including it in all aspects of the development and operations processes.
First, DevOps at the core attempts to ensure development and operations teams are in lockstep and understand the challenges each team faces at any given point in time. DevOps principles allow an organization to bridge the traditional gap between security and the combined development and operations teams. By including the security team in these conversations, each group not only becomes more aware of security concerns and challenges but ensures all teams -- dev, ops and security -- are ultimately responsible for ensuring security is prioritized.
Second, DevOps provides efficiencies by automating the deployment processes across development, integration, staging and production environments. Gone are the days of manually configuring servers, which was not only painfully slow but often fraught with errors having significant security implications. By leveraging automation tools, DevOps takes advantage of software-defined infrastructure and allows for the deployment of resources in a predictable and auditable manner.
Some organizations have completely disabled remote configuration sessions to servers, ensuring that infrastructure resources remain consistent across environments and that production servers remain off limits to humans . The patching process can now be automated and audited to ensure strict configuration management of resources. More mature DevOps organizations have stopped patching production servers live altogether. They deploy new and patched production resources in parallel, migrate services when ready and take the old production resources offline when appropriate.
Third, automation of the build process provides a huge opportunity to include automated security scans throughout the systems development life cycle. Static code analyzers that scan source code prior to integration can be automated as code is committed to the repository regardless of the frequency. Daily or even hourly builds can be scanned post-integration by dynamic application security testing scanners to identify vulnerabilities earlier in the process. The automated security scans ensure issues are addressed immediately when found, keeping the cost of mitigating security flaws far lower than finding them at the end of the development process.
Finally, DevOps mandates visibility and transparency through regular monitoring and reporting of activities that are enhanced by the auditability of each automated process. By including security monitoring and reporting with development and operations, organizations will gain -- possibly for the very first time -- a single view of their environments. With this unified view, reporting mechanisms can inform each other, enabling the sharing of core information across the development, operations and security teams. This ensures security is a shared responsibility and will result in quicker response times and proactive identification of security vulnerabilities before they are exploited.
Coupling security with the foundational collaborative elements of the DevOps framework, government agencies can work more efficiently and effectively. Incorporating security from the start, DevOps can play an essential role in securing and aligning IT systems and processes.
Bill Annibell is the Chief Technology Officer for Sapient Government Services.