Why DevOps Needs Security During an Infrastructure Transition

by Pan Chhum on July 24, 2018

The rising popularity of DevOps practices in cloud infrastructure environments has allowed software teams to release work more quickly and efficiently than ever before, but is security top of mind? Data included in a new Pathfinder Report from 451 Research would suggest not.

According to data included in “Refocusing Security Operations in the Cloud Era,” 36% of businesses said their top IT goal over the next year is to respond to business needs faster, while 24% said it is to cut costs. In comparison, only 10.5% prioritized improving security as their top goal, coming in dead last among the options listed.

The problem seems to stem from the misconception that speed and security are mutually exclusive, where DevOps views security as a business decelerator rather than the stabilizing force it is. Baking security into DevOps processes early on through SecOps best practices, which we’ll review below, is the only way to build long-term sustainable infrastructure that will support your products and team as they move into the future.

This becomes especially true as organizations migrate to the public cloud, where agile development means that work can be released more quickly than it can be manually secured. Sacrificing security in the name of speed as you undertake an infrastructure transition opens your organization up to data breaches and the resulting reputational damage and financial loss, but SecOps best practices can help mitigate the risk.

Sponsorships Available

Integrating SecOps With DevOps

So what is SecOps, exactly, and what role can it play when successfully integrated with DevOps? Like DevOps, SecOps is a software development philosophy built on the principles of agility. SecOps also manages the acceleration of software versioning and improves the output of many programming teams, so DevOps need not fear it. SecOps simply adds a layer of security that wasn’t there before by automating crucial security tasks.

To do so, SecOps fosters a culture where security is the responsibility of everyone within the organization and where security is part of a proactive strategy rather than an afterthought. Strong communication between teams is prioritized to avoid a situation where security is siloed, and no team is slowing another down.

Finally, as organizations begin aligning security with DevOps, it will be critical to address the talent shortage within cybersecurity. According to 451 Research’s report, training existing staff to learn new skills is the most-preferred way among organizations for doing so. Employing SecOps practices is ideal for shoring up your workforce by developing in-house resources.

SecOps Best Practices

It’s clear that companies sharing plain-text passwords won’t start using centralized access controls overnight, but they can take steps in the right direction by letting go of time-consuming ad hoc processes and moving toward automation wherever possible. Here are some specific best practices to undertake in five areas of infrastructure:

1. System Access & Users
When it comes to system access and users, live by the principle of least privilege. In order to achieve true security maturity in this area, you will need to embed the principle into your tools and day-to-day processes, even if you have already modeled it into your policies. Systematically automating and verifying your user access policies allows you to reduce the risk of human oversight that could result in insider threats.

2. Patching & Vulnerability Management
Think patching is simple? Think again. According to the 2017 Verizon Data Breach Investigations Report, companies aren’t doing it with nearly enough regularity, giving attackers plenty of time to exploit vulnerabilities that are months (or even years) old. To catch vulnerabilities before cybercriminals do, your organization’s approach to patching should be automated, standardized, and resilient enough to withstand automatic software updates.

3. Infrastructure Control Plane (AWS Console/API)
APIs and management consoles are the functional equivalent of data center access when operating in the cloud. However, securing only your own data center in the cloud would leave your APIs exposed. Therefore, it’s necessary to evolve your security approach as you move to the public cloud by handling management consoles and APIs with the same level of sensitivity as you would a data center. This involves automating the shutoff of access to insecure or potentially compromised systems.

4. Networking
With environments that are more complex and interconnected than ever before, traditional network security controls are no longer cutting it. Currently, many security and operations teams are restricting access between systems with network topologies, but it’s necessary to group servers by roles instead and to leverage automation to establish small network paths to model trust between peers. Additionally, architecture should run over the WAN rather than LANs. SecOps maturity in this area, therefore, means modeling authentication and authorization and not simply relying on the underlying network topology to define security.

5. Runtime & Services
Considering that operations and security teams both benefit from the standardization of run times and software management, continuous integration, and streamlined software development life cycles, the alignment of goals should be relatively easy here. Once everyone is on the same page, infrastructure and runtimes can function as a shared utility, allowing engineers to innovate within these common structures. Applying the same principles across teams increases efficiency and helps to minimize the risk of failure.

Final Thoughts

As cyberthreats continue to grow unabated and infrastructure becomes ever more complex in the cloud, it’s more critical than ever that DevOps embrace security from the outset. SecOps aims to ease the pain of integrating security into development and operations by automating as many security tasks as possible, fostering communication between teams, and enabling development that remains agile while being secure.