Once considered cutting-edge, agile DevOps approach is now recognized by organizations seeking to deliver applications faster and with fewer operations issues. The industry results speak for themselves — a 2016 State of DevOps Report showed that organizations that adhere strongly to agile DevOps spend 29 percent more time on new work (e.g., new features and code) and deploy application updates 200 times more frequently with three times lower change failure rates. Clearly, DevOps principles, when correctly implemented, speeds development cycles and release times.
However, with any operational model, there is business risk, and agile DevOps is no different. The beauty of DevOps is that it moves quickly, rolling out frequent iterations of applications as and when needed. However, in this fast-paced environment, there are problems with DevOps. Mistakes happen, or things are overlooked especially when the human factor is involved; it’s just a fact of life. The thought is, don’t worry — we can fix it quickly once we know about the issue.
Take, for example, the fact that application developers are goaled with building products as quickly and efficiently as possible. In most cases, it is likely that they are not security experts, and frankly, nor should they be expected to be. Applying the appropriate security features, like encryption approaches, secrets handling and key management techniques; along with upfront decisions on security policies takes not only research and but also conferral with multiple stakeholders. All of this will force developers to slow down the process and perhaps force them to change their development approach, which runs counter to the entire DevOps practice.
Unless your developers are highly skilled and experienced in these areas, there isn’t a simple solution to help developers fulfill these conflicting requirements – fully secure, yet quickly produced optimized applications. With this in mind, it’s no surprise that 79 percent of CIOs believe that the speed of DevOps makes it more difficult to know what is trusted and what is not.
Bringing DevOps and InfoSec together – to achieve true “Secure DevOps” (also referred to as SecDevOps or DevSecOps) – efficiently at the speed of agile development is difficult but necessary in order to have the benefits of a robust and secure operating environment.
What are Secure DevOps Requirements?
The key is to provide an end-to-end solution that can span the enterprise and secure applications and the critical data within — no matter where they reside (on-prem or off-prem) or how the data is being used. Ideally, it should be automated so that security teams are assured that all the appropriate security policies are applied when any VM or container spawns. Other DevOps security best practices should include:
- Has no negative impact on business operations: delivery, performance, management as well as security.
- Provides a complete security approach to protect east-west and north-south traffic – data at rest, data in motion, and data in use.
- Can be deployed in any enterprise, including a DevOps environment, constructed of private networks and data centers, public clouds, or hybrid environments, and won’t require any significant infrastructure changes.
- Gives developers the DevOps security tools they need to continue their normal development approach but ensures the security of production-level data.
- Allows any skill level developer to quickly develop secure applications with minimal effort and no formal training
- Allows operations including InfoSec teams to do their work independent of the developers, Setting the appropriate security policies and make changes to those policies without involving development.
- Applies the organization’s specific security policies programmatically to servers, virtualized machines, and containers as they grow and scale.
- Offloads core-intensive security functions to improve application performance.
In CSPi's series of blog posts on the topic of Secure DevOps, we will explore how our ARIA™ software-defined security platform delivers these key security best practices and can help companies achieve uncompromised enterprise-wide security. This new security approach essentially makes breaches irrelevant, and at the same time, enables today’s organizations to truly achieve Secure DevOps with more rapid application delivery and optimized performance.