When DevOps And SecOps Collide: How To Improve Collaboration To Enable Agility
Source – forbes.com
There are two kinds of companies today: the ones that are in the cloud and ones that will be in the cloud. The gravitational pull fueled by agility, cost and resource management cannot be resisted. Today’s digital transformation is invigorating companies around the world to increase performance and drive more output. The rush to harness new digital technologies often results in enthusiastic business owners taking initiatives straight to the cloud, putting DevOps and SecOps at odds by allowing app developers to sidestep IT service managers aligned with security teams.
It’s the latest round in the bout between application developers and security — or perhaps, more precisely, security and business agility. While developers are often accused of not considering security and compliance in their projects, security teams are criticized for being barriers to cloud migration. When done right, IT security is a business enabler if properly integrated with the continuous deployment strategy associated with modern DevOps. As organizations embrace virtual cloud environments, it’s imperative SecOps and DevOps teams work together. To maintain transparency and foster a healthy, collaborative working relationship, a few key measures must be put in place for both teams to follow:
Inclusion: Cloud architects need to discuss security early on in the design process to ensure environments meet security best practices and configurations of the virtual machines are hardened to industry best practices (CIS). Cloud architects should leverage a secure software-development-lifecycle approach that will fix security holes in their code as part of their continuous development process.
Flexibility: Security teams need to understand how the use of microservices and containers may lower the attack surface area of their cloud deployment and be open-minded about the process. This is a completely different architecture than the three-tiered data center model they have protected in the past. There is actually less attack surface area for threat actors but fewer security tools on the market to use in order to develop a security strategy.
Understanding: The app development team must recognize the requirements for security standards that the security and compliance teams must meet (e.g., PCI, HIPAA) and ensure their cloud deployments can meet those standards.
Progression: The app development team should adopt a secure software development life cycle process that includes both static and dynamic testing of their applications for security flaws.
Adoption: Security and development teams should embrace an agile DevOps/automation framework that is a win-win for both teams. This gives security teams a window every two weeks to introduce patches into the continuous delivery model while simultaneously disrupting a threat actor’s access to a data environment.
While these steps may seem minor, their implementation can help bring these teams together and identify security and compliance issues early. Given that many breaches are caused by poor app security and patching, collaboration between DevOps and SecOps is critical. New technology brings new opportunities for growth and change, but to realize those opportunities, DevOps and SecOps teams must make fundamental changes in how they do business — otherwise, they risk leaving security gaps as their organizations pursue cloud initiatives.