Fotolia

News Stay informed about the latest enterprise technology news and product updates.

DevOps maturity bolsters IT security in the right hands

Software abstractions and automation may seem to muddy IT security waters, but with proper management, they can offer better visibility into an IT environment.

BOSTON -- Despite fears about intangible machines and lack of human touch, DevOps maturity in the cloud can bring IT security benefits, but only when overseen by one of the few people with the right skill set.

That topic was among the discussions at a security roundtable here this week, which also included how software abstractions in the cloud can clarify the security picture, rather than obscure it, and how software-defined and automated resources can provide stronger security than air-gapped, hands-on physical infrastructure.

For example, Amazon Web Services' CloudTrail allows IT pros to see when a machine's provisioned, when a user account was created, how permissions were granularly altered, when the user account was logged into and when cryptographic keys were issued, among other details about every deployment.

"There are a lot of metadata asset tag changes that indicate ... whether [an action] was employee activity or if [the system] was externally compromised, so I might like to have that information on record," said Sven Skoog, information security officer at Monotype Imaging Inc., a design firm in Woburn, Mass.

So-called server huggers have long protested how software eats the IT world, and among the common objections is the idea that software abstractions are less secure than infrastructure that can be seen and touched.

However, companies which use firewalls have implemented software-based logical abstractions anyway, said Misha Govshteyn, co-founder and chief strategy officer for Alert Logic Inc., a security monitoring vendor in Houston.

Another Alert Logic staffer, chief security evangelist Stephen Coty, added that he previously worked for a service provider, and when acceptable-use alerts came in, he'd have to go investigate.

"Ninety-nine percent of the time, it was a false alarm," Coty said. "But that 99% of the time, nobody knew I was actually touching the box. With CloudTrail, you know."

DevOps maturity means hands-off security

Beyond the cloud, software automation and DevOps are ushering a new era in which IT pros set and forget environmental configurations and allow machines to take over the work of managing and securing themselves. Isn't that more dangerous?

The answer from the security roundtable group was a resounding no.

"Security and configuration management have a heavy overlap," Skoog said.

Skilled DevOps pros will do a good job of packaging manifests and tearing down and rebuilding servers every few days, Skoog argued, and to not do so increases the risk of configuration drift, where systems may sit for months without being properly updated.

"There's a lot of argument that a dynamic DevOps cloud infrastructure fixes that in a way that a traditional on-premises environment does not," Skoog said.

One of the most expensive things an IT team does for systems management is patching, Govshteyn said.

"Contrast that with our data center infrastructure ... which our DevOps team has transformed into a set of Chef recipes and CloudFormation templates," he said. "That sounds like a management enhancement, but it's really a security enhancement ... it's no longer expensive to keep things up to date."

Searching for unicorns and shelling out cash

Security as code can provide great results, but getting to that level of DevOps maturity only increases the need for careful regression testing, which is easier said than done at many organizations today.

"You're at the mercy of testing, you're at the mercy of integration, and finding security defects should be part of QA [quality assurance]," Skoog said. Having separate processes for security and code quality testing "is something that's wrong with the industry as a whole."

Meanwhile, "that person [who] can do both security and DevOps is almost a unicorn," Govshteyn said.

It's rare to find dedicated security developers in any company, according to Govshteyn.

"This is a job function that we barely know exists -- it's very recent," he said. "Most developers aren't trained in this."

All of this portends to increased spending on security staffing and other resources in the next few years, according to another large Boston-based enterprise CTO who spoke in a separate interview this week.

"Like most large companies, if you took a look at our investments in cybersecurity, they're two, three, maybe four times larger on an annual basis than they were just a few years ago," said Mark Kirby, senior vice president and CTO of IT at Liberty Mutual Insurance.

Among the expenditures is the recent replacement of Liberty Mutual's identity management system, though Liberty Mutual officials declined to name either the product that had been used before or what replaced it.

"As a person, you show up differently in the software world," Kirby said. "You might have a Yahoo ID and a Facebook ID and a LinkedIn ID ... that's a big program for us internally."

Liberty Mutual has also invested in vaulting technology for updated secrets management in an increasingly software-defined world. The company also declined to disclose its vendor for this, but one example of such a product is HashiCorp's Vault.

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Next Steps

Rosetta Stone translates dev to ops using Docker

SDN helps meet network automation requirements of a DevOps world

Experts say DevOps and cloud go hand in hand

Dig Deeper on Configuration Management and DevOps

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What else can DevOps maturity bring besides tighter security?
Cancel
Better (faster) testing and faster feedback loops. Both from internal testing team and from early adopters.

Cancel
One of the hallmarks of a mature agile team is increased transparency. The same is true of DevOps teams, except that this transparency is covers much more area because it covers both dev and ops.
Cancel
The Information Security Community on LinkedIn recently put out survey data showing that 46% of respondents state that security slows down DevOps, 31% say security and DevOps are "fully integrated" and 15 percent say security is ignored in DevOps process. The full report is posted here: https://pages.cloudpassage.com/rs/857-FXQ-213/images/cloud-security-survey-report-2016.pdf
Cancel
Good info Meredith (and good piece Beth). It can be argued that security flows down everything. This is usually due to poor implementation and weak executive buy-in. IT running (dictating) the show without any real cross-sectional management is never a good idea in terms of security.
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

SearchCloudComputing

Close