DevOps can -- when implemented successfully -- be a defining factor in how well technology supports a business....
Cascade and Waterfall IT projects tend to solve issues that were problems months or even years ago, but a true DevOps process -- particularly one that embraces CI/CD securely -- can result in rapid resolution of business issues.
There are still organizations that get DevOps -- and the role of security for DevOps -- wrong. Fortunately, it's an easily corrected misstep.
Some IT departments take DevOps at face value -- or, perhaps, name value -- believing it pertains only to development and operational teams. But DevOps must be carried out such that the business gains from it at all times.
The second reason some organizations fail is the integration of security in DevOps. It appears to DevOps adopters that there must be a separate, but intricately linked security group. This is a misconception as well.
Security must be baked in to the overall DevOps process; it cannot be bolted on between the development processes and the operations rollout. Such an approach leads to security issues and to a deceleration of the code's movement from development to operations -- the very thing that DevOps sets out to correct.
How modern IT teams defend deployments
What's required across a modern IT platform when it comes to security for DevOps? Some traditional notions about security no longer apply.
It isn't about device security -- each server, storage unit, switch and access point must be secure, but virtualization has removed the focus on physical devices. To base business security around physical security is a non-starter.
Challenge-response application and database security aren't the focus either. As organizations replace monolithic applications with distributed ones that consist of dynamic collections of microservices, such a simple approach to security is doomed to failure.
With containers and hybrid cloud, the majority of hardware or application breaches can be countered within minutes or hours with a suitable disaster recovery and business continuity plan.
Start a security strategy for DevOps organizations instead with the most important asset of any business. It's neither the buildings nor other hard assets, nor -- unfortunately -- the staff. The lifeblood of the business is information: analysis and extraction of knowledge from data.
How to handle data security for DevOps approaches
A successful modern IT group's role is to ensure that information security is a fundamental concern of the DevOps process.
Examine information flows to determine the best ways to manage them when the organization constructs new composite applications. The team might need to implement stand-alone services that distributed applications call on as necessary for security needs.
For example, an organization instates data loss prevention (DLP) services that prevent information types from crossing set perimeters. IT organizations should apply common data classification approaches within the DevOps process to make such DLP implementations simpler and less impactful on the flows of information. Zscaler, WatchGuard and Symantec are among the security tool vendors addressing data security for DevOps.
Implement encryption judiciously to avoid gumming up the DevOps works. The IT department cannot justify spending the money or devoting the ops resources to encrypt everything. Integrate encryption as a service with data tagging so that certain data types -- Commercial in confidence or Secret -- are automatically encrypted. Baffle is one of the security tool vendors encrypting data regardless of whether it is at rest, in use, in memory or otherwise. Its approach requires no direct changes to development code, which suits the DevOps methodology of rapid iteration on code, often by independent developers or groups.
Across a hybrid cloud platform, teams must accept that data and information aren't under the organization's direct control sometimes. Data might be held within a SaaS product or sent through to a partner, supplier or customer within the extended value chain.
Digital rights management (DRM) is a way to maintain control over information security in DevOps setups that have left the organization's own network to the public cloud. DRM is a service that defines information assets that must check back in with a centralized system to determine the necessary permissions for a recipient or user to access and use the asset in question. For example, if an email message reaches an unintentional recipient -- firstname.lastname@example.org, rather than email@example.com -- the centralized system finds that the recipient has no access rights to the information. Therefore, it can block or delete the message. This setup can be highly granular, such that a recipient can read a document but not forward, print or copy and paste from it. Vendors that provide this service include Adobe Primetime DRM, OpenText Rights Management and Fabasoft DAM.
The combination of DLP and DRM enables a fairly open flow of information, crucial to the velocity of DevOps aligned with business needs. Users need little to no education on how to use these systems, and information leaks and breaches are rectified more easily through centralized control of activity and access.
For healthy security in DevOps implementations, make it a priority to sit down and determine what must be in place to provide centralized information security services across all IT projects.