Security Experts:

Extending the DevOps Model to Achieve Operational Excellence and Improved Security

The DevOps movement seeks to improve the integration of development and operations teams with the ultimate goal of accelerating the delivery of critical applications. Traditionally, these teams have been at a crossroads because their goals compete: developers want to add more features to their applications while operations teams want to ensure the stability – which means LESS change.

But as we all know, in a grueling 24x7, global business environment, change is fairly constant. While new features and functionality need to be churned out faster, stability and availability of critical applications must be at 99.999% or better. It’s the reality for those organizations that want to stay competitive. Hence, we have the DevOps movement, driving development and operations teams to work more closely together. This improved collaboration should not stop here though… what about security?

Improving Software SecurityTraditionally, security has been viewed by these teams as a bottleneck because security by nature is to add checks to the process of making changes and pushing out new capabilities. But I think most would agree that security, especially considering the rising volume and sophistication of cyber-attacks, is a vital component of a successful organization. So the question becomes… how can we maintain or even improve security, while continuing the movement of increased agility?

By including security into the DevOps model, organizations can attain that improved agility and operational excellence while also improving the necessary checks and balances before changes are pushed into production. As more organizations look to add next-generation infrastructure and move from physical data centers to private/hybrid clouds, the integration of security with DevOps becomes even more important. Let’s examine how to integrate security into DevOps by looking at the three C’s:

Collaboration - Collaboration between three disparate, yet linked teams is important, especially when considering the process for making security changes. Instead of working in silos, if all of the key stakeholders understand and are involved in the change process from the beginning, you can ensure the proper checks and balances and provide the proper visibility from all angles (i.e. application connectivity needs, security and compliance checks, and broader network requirements). Improving the collaboration between these teams doesn’t only enable a more secure and agile network environment, but also provides opportunities to examine other strategies to further improve the business. Automating more processes can aid in forcing collaboration – as well as communication, which we’ll look at next.

Communication - According to a recent survey of approximately 620 enterprise engineers conducted by RebelLabs, traditional IT Ops teams require 41% more time for communication and 26% more time for firefighting than DevOps oriented teams. They also spend less time on task automation and infrastructure improvements. Communication obviously is tied tightly with collaboration – hard to have one without the other. No more is this readily apparent than in the security change process, where an application owner may request a connectivity change, network operations must process the change and security must ensure the change is made in a secure manner that doesn’t create new risk.

Co-ownership - The DevOps model embeds each team more into the fabric of the other. Developers shouldn’t simply throw code over the fence to operations to push into production and operations shouldn’t stay away until code is ready to be implemented in a production environment. The same goes for infosecurity. The information security team should be involved with the developers from the start to make sure the application code is secure and with operations to ensure that changes pushed into the network don’t create new risk. Sharing the responsibility across these teams facilitates teamwork and helps improve the process around publishing new functionality as well as demonstrating compliance, security enforcement, and operational efficiency.

Agility is the name of the game, and it shouldn’t stop at DevOps.

view counter
Nimmy Reichenberg is the VP of Marketing and Strategy for AlgoSec, a solution provider for Network Security Policy Management. Nimmy began his career as a security software engineer and has spent the last 10 years working with organizations across the world to address their security needs, focusing mainly on mobile device management and network security. He holds a B.Sc. in Computer Science and an MBA from Tel Aviv University.