BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
DevOps is becoming a well-recognized concept in the IT industry today. The DevOps model was originally created to tighten relations between development and operations teams, in turn allowing for more efficient software delivery. And although many companies gain agility from DevOps, it also has its drawbacks -- especially when it comes to security.
In general, DevOps focuses on accelerating the delivery of applications, including those that will run in the cloud. But security is often an afterthought. Many organizations implement security at the end of the development process -- if at all. This bolt-on approach means security processes are not permeated throughout a service, therefore leaving the service vulnerable to a breach.
This gap between DevOps and security can be a major problem, but a concept known as rugged DevOps can help.
Implementing a rugged DevOps model for cloud
Rugged DevOps is an approach that injects security into DevOps processes early on. Similar to rugged software development, rugged DevOps provides a more defensible and secure structure without hindering continuous integration and application delivery. Organizations should embed secure coding into the roots of their DevOps processes.
Follow these five tips to adopt a rugged DevOps approach and improve cloud app security:
1. Automate manual security testing
Automation is key in DevOps because it enables accuracy and speed. Application delivery needs to be efficient and manual security testing just isn't fast enough. What's more, third parties often miss faults during external manual testing.
While organizations don't need to completely discard manual testing, they should bring automated processes to the forefront. Security teams should determine how to automatically implement their manual processes. When embedding rugged DevOps into your existing cloud environment, review security testing tools to make sure you can incorporate them into your continuous integration and application delivery process. Then, remove or replace any tools that aren't suitable for DevOps or can't integrate with your cloud operations.
2. Prioritize security earlier
Despite a large percentage of the IT industry adopting agile and DevOps processes, security testing cycles are still based on the traditional and cumbersome waterfall approach. This means many organizations forget to do security qualifications tests, such as PCI compliance checks and risk assessments, until it's almost too late. To more efficiently sync security and DevOps cycles, conduct security tests from the start of the development process.
3. Create cross-functional team participation
To implement rugged DevOps, security teams need to work more closely with development and operations teams. When doing so, security experts should keep an open mind to understand their colleagues' culture and language. This way, the relationship becomes a true partnership rather than a mechanical formality.
4. Embed security tools into operations
In a rugged DevOps model, security teams should expose security tools to the rest of the organization. By sharing technical knowledge, organizations will have a broader workforce that can solve security issues on the front line. To help small security teams extend their operational influence across larger DevOps organizations, put security tools in a general operations toolkit.
5. Monitor and audit integration processes
Tightly monitor and log integration and delivery processes to ensure high-quality software. This also helps identify security issues as they arise. Use granular change logs to have information ready for auditors, as well as scalable cloud security monitoring tools. These tools should be able to automatically track and measure newly added resources. In addition, they should aggregate monitoring data and quickly detect real issues, while eliminating false positives.
Netflix achieves rugged DevOps with FIDO
Netflix, the poster child for DevOps and cloud, offers an example of rugged DevOps. This year, the company released a new open source system called Fully Integrated Defense Operation (FIDO) that automatically coordinates assessment, evaluation and response to security threats. Netflix's system also compares event information to outside threat information on a targeted computer or network before deciding whether action is required, and what that action should be.
The industry's move to the cloud accelerated the move to DevOps, and is causing an amazing change in terms of automated and reusable application delivery. Security has become crucial as the largest enterprises in the world move to the cloud and deliver their services using agile and DevOps models. Organizations should handle security management just as they handle other aspects of service quality, including performance. Be sure to automate and streamline event simulations and tests throughout the integration and delivery process. This will ensure your end users enjoy a robust and secure cloud service.
Exploring the evolution of DevOps in the cloud
Cloud and DevOps require new IT mindset
Seven cloud security risks to avoid
Embrace DevOps to improve AWS security
Preparing for a DevOps interview
What role shouuld tools play in a DevOps initiative?