Interview: John Martinez of Evident.io on DevOps and Cloud Security

John Martinez is the VP of Security Success at Evident.io. Eviden.io is a cloud security and compliance company. DevOps and its lack of security is problematic, and companies like Evident.io are there to help. DevOps must gravitate towards DevSecOps if enterprises want to maintain success going forward.

“Our mission is to ensure that our customers have security success with our platform and in their cloud security endeavors. Part of our team is a solution engineering team that helps customers automate around our platform.”

What do you think are the biggest risks to the cloud?

There are a lot of issues around misconfigurations of cloud resources. The level of scale has exacerbated the problems. We still need to pay attention to the basics of cloud adoptions. Things like S3 bucket configurations, EC2 security group configurations. So, the basic stuff is still an issue. I can lose all of those things, they become needles in the big haystack of cloud adoption. We still see a lot of that in our customer base. We guide our customers towards tight infrastructure security. The answer is visibility and scale.

Why do you think a lot DevOps teams have chosen to overlook security, or at least put it on the backburner?

This is one of my pet peeves and an area I love to speak on. I think it’s a cultural issue for sure. It’s speed versus security. It’s the kind of thing where, as a DevOps person, you’re charged with deploying the platform and product at scale and at speed. A lot of teams have chosen the path of “the security guys are about slowing me down, they don’t understand the cloud, they don’t understand DevOps. I’ll bring them along when it’s important, when I need compliance checks, I’ll worry about it then.” That’s really at the crux of why DevOps doesn’t include security initially.

What can security teams do to be more agile?

It’s not a technology problem, it’s a cultural problem. Security needs to be a part of the business. Yes, they oversee making sure the company isn’t breached. They’re in charge of the aspects of zero trust, or some trust, or complete trust. They need to be brought along and made aware that  DevOps teams are charged with the speed of business, and they need to keep up with this speed. It needs to be a cross-pollination between the teams.

DevOps is absolutely thriving in automation and high-speed releases. Security is tasked with securing the kingdom. There needs to be a cultural shift bringing them together. Security teams need to be much better at giving DevOps teams more visibility. This will allow them to embed security practices into DevOps. Let the security team teach the DevOps teams what they should look form. Let both teams train each other on what to look for and how to better help each other.

There needs to be more than a cultural shift between the teams, though. Management needs to create mandates where organizations put security in DevOps a priority. That way you’ll have both speed and security for the released product. It starts at the management level.