The world of DevOps is still work in progress especially where security is concerned. Most discussion around DevOps centers on business agility and undoubtedly businesses are focused on delivering business-critical apps as quickly as possible. But a blog from Andrew Storms the senior director of DevOps for CloudPassage - a security automation platform for the cloud – focuses on ensuring security of DevOps lifecycles and coins the phrase “SecDevOps”.
As the blog points out, the definition of DevOps, let alone SecDevOps is unclear. In fact given that DevOps is not well understood then surely SecDevOps over complicates things even further. A fact backed up by research from InformationWeek published in the US in January. Of 318 IT respondents, just 68% were familiar with the DevOps concept and only 22% consider that they were very familiar with DevOps so clearly there is work to do.
Storms' blog characteres SecDevOps as the “heavy use of security automation” but essentially discusses how workflow can be automated to provide security particularly for cloud environments.
The blog says: “A simple act of changing a firewall has huge potential for security automation. The SecDevOps firewall change process goes beyond changing a few lines in a config, but also provides an independent and automated verification process that most organizations don't perform today.” It goes on to discuss how elements of the change verification process can be automated to ensure that each change is audited and security checks - such scans – performed automatically when a change is made. Personally I'd argue that organizations should take it one step further by orchestrating their security controls. Whereas automation is comparable to robot that repeats tasks with speed and accuracy, orchestration is analogous a conductor, coordinating complex systems and applying his experience to keep everything in tune. A "simple" firewall change may require coordination across multiple firewalls, network devices, security policies and processes that are owned by different stakeholders from separate business units.
Although Storm's blog certainly rings true, as the InformationWeek report points out, the main challenge in SecDevOps is to generate the trust between the security teams and the DevOps people. While 45% of tech pros say that adopting DevOps will improve security, the truth is that each team – security and DevOps has a different agenda. DevOps wants to create apps and add new features to prove their worth, while security wants to ensure that these apps don't expose the organization to risk. It means they don't often pull together in the goal of balancing the need to deploy apps faster against protecting the company from risk.
The key (as the report confirms) is not to start with automating security but to first allow better collaboration and communications between security and DevOps teams. Solutions like Tufin's Orchestration Suite which enables organizations to manage network connectivity and security policy from the application scope can be very useful in creating and maintaining this trust and a common language between DevOps people and security people.
Alongside ensuring security teams get involved in initial development meetings such solutions can prove invaluable in streamlining the change process and highlighting risks. Once this trust is established, then and only then can automating security become a reality.