One of my favorite takeaways from this year’s AWS Summit NYC was the emphasis on security. Amazon’s CTO, Werner Vogels exclaimed security is everyone’s job. Secure software development should be a priority for any enterprise. Does this mean DevOps as we know it is dead? The DevOps culture has been flourishing across enterprises when it comes to more streamlined release schedules and faster releases. This isn’t enough though.
There have been countless examples of teams ignoring security features, not getting the right security tools, or excluding security teams. DevOps hasn’t been able to prevent the countless attacks against modern enterprises. Adding security needs to be a priority moving forward. Teams need to work together to create a proper gameplan, map out vulnerabilities, and make the right choices for tools.
The Pace of Innovation and the Pace of Security
Innovation is the word we all hear about constantly. Every technology company, politician, and car manufacturer want you to think that they’re the next innovation that changes the world. Thus, enterprises are constantly looking for new innovations to improve business practices. This is great in theory, but most newer technologies can lack important security features without the proper approach. The pipeline needs to change as continuous integration and deployment are becoming a fixture for businesses.
Advances to development must coincide with security upgrades. One way this is possible is through automation. Sometimes, automation can be difficult to manage internally so enterprises are turning to managed service providers (MSP). These providers have experience with automation and sometimes work with other vendors to bring you the tools you need.
Creating a Gameplan
Teams that don’t have a solid gameplan when working towards DevOps will rush into creating new development pipelines without thinking about the security risks of increased attack surfaces.
Gameplanning is crucial in creating a successful IT culture. This can often be accomplished with the help of an MSP. Many have specific strengths in helping implement DevOps at any stage. Whether it comes in the form of collaboration, containers, or your personal preference, they can help you gameplan and understand what you need to improve.
Changing your entire IT culture without the help of an experienced team isn’t the best move. As much success we hear about DevOps, there’s also some difficulty. Maybe you’ve heard Netflix say DevOps is incredibly helpful and improved their technology practices tremendously, but you’re not Netflix. They took their time and built themselves into a behemoth. They certainly didn’t get where they are now by ignoring security features in favor of faster releases. Each enterprise is different and figuring out what works with first-hand experience can make an enormous difference.
Proper Collaboration and Solutions
Vogels emphasizes the importance of automation for security and compliance. AWS offers plenty of security automation help, but various vendors are able to help with that too (be sure to check out our cybersecurity sites). MSPs work within AWS to provide secure solutions that are constantly monitored with 24/7 support if you need it. Collaboration with your MSP and across your IT teams is crucial to maintaining safe and compliant workloads.
Keeping security teams isolated from the DevOps process is arguably the biggest obstacle to securing DevOps. Traditionally, security comes in later in the development and release cycle, but DevOps promises to eliminate lengthy processes to increase release speed. Development teams notoriously don’t want security teams accessing their build environment, for example. Exclusion leads to security problems that won’t be solved by the time the release is scheduled. There needs to be a culture of understanding between development, operations, and security teams.
CyberArk recently wrote about securing the DevOps pipeline. They suggest using fully automated privileged account security, also known as privileged access management (PAM). PAM solutions would allow DevOps teams to maintain trust without sacrificing security. Inclusion should not be a replacement for caution. Having secured access management should be a priority when working through the development cycle.
You can ask your managed service provider to help you with security needs, even if they don’t specialize in security. MSPs work with outside vendors to bring their clients the best tools possible.