Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to use DevSecOps to smooth cloud deployment

Jason McKay, SVP and Chief Technology Officer, Logicworks | March 9, 2016
At the start of a DevOps cloud adoption project, there is usually some friction between security and development teams. It can take an enterprise months, even years, to fully integrate security teams into faster development cycles—time that enterprises cannot afford. The solution? DevSecOps, a set of practices designed to bring security teams up to speed and leverage new ways to protect clouds.

This vendor-written tech primer has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

At the start of a DevOps cloud adoption project, there is usually some friction between security and development teams. It can take an enterprise months, even years, to fully integrate security teams into faster development cycles—time that enterprises cannot afford. The solution? DevSecOps, a set of practices designed to bring security teams up to speed and leverage new ways to protect clouds.

The good news is that enterprises are already building the tools and processes security teams need to succeed.  Here are five tips to help you integrate the DevOps and security teams:

1. Identify the challenge. When DevOps processes are limited to a single business unit or team, maintaining security practices is fairly simple. The problem comes when the entire security organization -- that has likely been exposed sporadically to DevOps -- is expected to develop new company-wide processes and standardize security methodologies.

Here’s what what typically happens when you apply old security processes to DevOps teams: The central security organization develops cloud-specific security documentation and inserts themselves at various stages of the sprint (often the testing phase). This involves manually ensuring that cloud resource configurations meet specifications.  And it takes weeks from identifying a new cloud security vulnerability to documenting the fix to deploying the fix, creating delays and slowing deployment.

It is easy to see that the culprit in this scenario is manual security work. When operations builds systems manually, they do manual network and configuration work, which has the potential for errors and therefore must be manually checked. When security teams identify a problem, they must manually document the solution which must be manually deployed, instance by instance, in your environment. This burns hours that security teams should be spending in more valuable efforts.

2. Expose security teams to DevOps early.  Once the security organization has identified the challenge -- or is already feeling the repercussions of slow security services -- the next step is education. Security teams need to be exposed to DevOps technologies and methodologies, which in turn leads to a period of learning about cloud development and deployment tools.

The light bulb goes off when security teams realize that DevOps tools -- like configuration management -- can actually be used to improve governance. In fact, before configuration management tools like Puppet and Chef were used to automate deployment pipelines, they were used by security professionals to implement and guarantee security configurations on servers. Witnessing the power of declarative configuration languages resonates with security professionals by providing new and exciting solutions to their daily tribulations.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.