BOSTON -- Despite fears about intangible machines and lack of human touch, DevOps maturity in the cloud can bring IT security benefits, but only when overseen by one of the few people with the right skill set.
That topic was among the discussions at a security roundtable here this week, which also included how software abstractions in the cloud can clarify the security picture, rather than obscure it, and how software-defined and automated resources can provide stronger security than air-gapped, hands-on physical infrastructure.
For example, Amazon Web Services' CloudTrail allows IT pros to see when a machine's provisioned, when a user account was created, how permissions were granularly altered, when the user account was logged into and when cryptographic keys were issued, among other details about every deployment.
"There are a lot of metadata asset tag changes that indicate ... whether [an action] was employee activity or if [the system] was externally compromised, so I might like to have that information on record," said Sven Skoog, information security officer at Monotype Imaging Inc., a design firm in Woburn, Mass.
So-called server huggers have long protested how software eats the IT world, and among the common objections is the idea that software abstractions are less secure than infrastructure that can be seen and touched.
However, companies which use firewalls have implemented software-based logical abstractions anyway, said Misha Govshteyn, co-founder and chief strategy officer for Alert Logic Inc., a security monitoring vendor in Houston.
Another Alert Logic staffer, chief security evangelist Stephen Coty, added that he previously worked for a service provider, and when acceptable-use alerts came in, he'd have to go investigate.
"Ninety-nine percent of the time, it was a false alarm," Coty said. "But that 99% of the time, nobody knew I was actually touching the box. With CloudTrail, you know."
DevOps maturity means hands-off security
Beyond the cloud, software automation and DevOps are ushering a new era in which IT pros set and forget environmental configurations and allow machines to take over the work of managing and securing themselves. Isn't that more dangerous?
The answer from the security roundtable group was a resounding no.
"Security and configuration management have a heavy overlap," Skoog said.
Skilled DevOps pros will do a good job of packaging manifests and tearing down and rebuilding servers every few days, Skoog argued, and to not do so increases the risk of configuration drift, where systems may sit for months without being properly updated.
"There's a lot of argument that a dynamic DevOps cloud infrastructure fixes that in a way that a traditional on-premises environment does not," Skoog said.
One of the most expensive things an IT team does for systems management is patching, Govshteyn said.
"Contrast that with our data center infrastructure ... which our DevOps team has transformed into a set of Chef recipes and CloudFormation templates," he said. "That sounds like a management enhancement, but it's really a security enhancement ... it's no longer expensive to keep things up to date."
Searching for unicorns and shelling out cash
Security as code can provide great results, but getting to that level of DevOps maturity only increases the need for careful regression testing, which is easier said than done at many organizations today.
"You're at the mercy of testing, you're at the mercy of integration, and finding security defects should be part of QA [quality assurance]," Skoog said. Having separate processes for security and code quality testing "is something that's wrong with the industry as a whole."
Meanwhile, "that person [who] can do both security and DevOps is almost a unicorn," Govshteyn said.
It's rare to find dedicated security developers in any company, according to Govshteyn.
"This is a job function that we barely know exists -- it's very recent," he said. "Most developers aren't trained in this."
All of this portends to increased spending on security staffing and other resources in the next few years, according to another large Boston-based enterprise CTO who spoke in a separate interview this week.
"Like most large companies, if you took a look at our investments in cybersecurity, they're two, three, maybe four times larger on an annual basis than they were just a few years ago," said Mark Kirby, senior vice president and CTO of IT at Liberty Mutual Insurance.
Among the expenditures is the recent replacement of Liberty Mutual's identity management system, though Liberty Mutual officials declined to name either the product that had been used before or what replaced it.
"As a person, you show up differently in the software world," Kirby said. "You might have a Yahoo ID and a Facebook ID and a LinkedIn ID ... that's a big program for us internally."
Liberty Mutual has also invested in vaulting technology for updated secrets management in an increasingly software-defined world. The company also declined to disclose its vendor for this, but one example of such a product is HashiCorp's Vault.
Rosetta Stone translates dev to ops using Docker
SDN helps meet network automation requirements of a DevOps world
Experts say DevOps and cloud go hand in hand