Before DevOps dramatically transformed the application development process, a typical application development scenario went like this: Application developers created their application, system or code and spun up their accompanying server, and then submitted an access request or firewall configuration change to the security team, which would then take weeks to complete. Developers were used to working on a six-month release cycle, so the long lead time between submitting a request to the security team and having that request fulfilled wasn’t much of an issue.
Today, however, we’re operating in a different environment entirely. In the world of DevOps, the six-month release cycle has been replaced by continuous delivery, and cloud computing has made it possible to deploy applications, systems, code and servers in a matter of minutes, not months. While this is a major win for DevOps and business teams, it’s a challenge for security teams that are still relying on manual processes that just can’t keep up with the pace of development, deployment and change.
This new world has created friction between DevOps teams, which prioritize speed-to-market, and security professionals, who must ensure that new applications and systems comply with security policy, regardless of the time it takes. Viewing security as a “roadblock” to application and system deployment, many developers are circumventing security teams and deploying their apps and systems without the proper security policies and access controls in place. Rather than help the business, though, in many cases, this has led to increased risk of cloud data breaches, leaky buckets, unauthorized access to personally identifiable information and compliance failures.
This disconnect between DevOps and security teams has left many organizations struggling with two distinct challenges:
- Ensuring DevOps processes aren’t introducing unnecessary risk, and
- Ensuring the proper security policies are in place without slowing down DevOps processes.
The DevSecOps Model is Born
To reconcile the tension between DevOps, business and security teams, many organizations are turning to a DevSecOps model, which fully integrates security teams into the DevOps process from the start, so they can embed security functions and controls throughout the application development cycle. This enables security to become an impactful contributor to the DevOps workflow, rather than being a roadblock or an afterthought. And, most importantly, it allows organizations to benefit from DevOps advancements without introducing security and compliance risk.
Ensuring security is prioritized at the beginning of any DevOps initiative is a great start. But, there’s still the challenge of making sure security moves at the speed of DevOps, so development and deployment times aren’t delayed. Automation can help here. By automating policy management and security capabilities, security teams can ensure the right access controls are automatically applied to applications based on pre-defined business, security and compliance intent – regardless of how they change or move. Manual rule-writing becomes a thing of the past. And, the ability to automatically generate rules in this way not only helps the speed of security align with the speed of DevOps, but it enables “self-service” security, where DevOps and business leaders can grant user access when needed, while remaining within the confines of defined security and compliance policies.
DevSecOps: People, Processes and Technologies
Perhaps the most important thing to remember in your journey is that successful DevSecOps is founded on the people partaking in the process and the company culture. Organizations must foster a culture of respect among all contributing teams – from DevOps and the business, to security and compliance. Each department must understand the goals of other DevSecOps participants. And all groups must work together to align DevOps, business, security and compliance intent. When this happens, different departments within the organization will work together in a common process, to achieve a common goal: leveraging next-generation technologies to seize new business opportunities, without introducing security and compliance risk. Last, but certainly not least, intelligent automation technologies can help organizations achieve business innovation faster and more securely. And security at speed and scale is a win for all parts of the business.
*** This is a Security Bloggers Network syndicated blog from RSA Conference Blog authored by Paul Anderson. Read the original post at: http://www.rsaconference.com/blogs/the-devsecops-journey-achieving-security-at-speed-and-scale