Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.
Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.
Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.
The organizational “fences” among these teams can leave security practitioners with poor visibility into how an application is constructed from a security perspective. It may start with limited or no documentation of how an application communicates among its various components as well as its various user groups. This causes risk challenges for IT in several ways:
• The handoffs among the various IT teams increase the operational overhead related to security and drive opaqueness among them. This means deployments are delayed, which creates pressure on security teams to meet schedules related to the business.
• More “cooks in the kitchen,” as it relates to the application development cycle, can increase the “attack surface” available to hackers by leaving ports on physical or virtual servers open or ignored by traditional perimeter security technologies.
• Any changes in applications (patches, updates, etc.) will have ripple effects for security teams trying to keep up, which must revisit the impact to both the application as well as the infrastructure.
What would happen if security became part of the development process from day one? What would happen if security adapted to a more fluid, continuous delivery world?
The good news is that security is evolving. Gartner has outlined how new Adaptive Security platforms are emerging that treat security protection as a continuous process, mirroring the changes in application development and software-defined infrastructures. Rather than bringing “batch” updates to firewall rules or IDS/APT systems, new adaptive security approaches can both streamline data center security processes as well as reduce the friction among various IT constituencies.
For security to flourish in the age of continuous delivery, it must meet the following requirements:
1. Security policy must be embedded into the application development cycle at inception. This means developers must co-join with infrastructure and security teams to create and instrument policy when they are creating new apps. Just as continuous delivery dissolves the barriers between developers and infrastructure, security will be the next silo to go.
2. Enforcement of security policies must move and adapt with the continuous delivery approach. If new applications are moved between private clouds and IaaS environments, security must move with the applications.
3. Thus, security must be decoupled from infrastructure to support the distributed and fluid nature of continuous, on-demand applications and supporting infrastructures. This provides an added benefit of being able to dynamically add resources on-demand, including security
4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.
While the leadership of the security team in protecting a company’s IP and assets will never go away, the responsibility increasingly must become part of the mission for other IT groups. Perhaps Robert Frost did not have it quite right: good fences do not make good neighbors.