By James Lapalme
As readers of this article well know, DevOps is a set of practices and cultural values proven to help organizations of all sizes improve software release cycles, quality, and security. DevOps emphasizes speed and automation, but this unfortunately often leaves security and compliance as afterthoughts. Additionally, as high demand for applications (apps) and services in regulated industries like financial services and healthcare increases, it creates a greater need to integrate security best practices into the infrastructure, development lifecycles, and apps themselves.
Even if security is a priority, the challenge is that existing solutions pose roadblocks to workflow, preventing DevOps from adopting secure, streamlined development processes—DevSecOps.
Developers need to design, test, and distribute applications quickly, but security loopholes can be created without implementing data security in the development environment. This rings true particularly in self-service environments with high levels of automation where workloads containing sensitive information or intellectual property quickly and unintentionally spread to unprotected zones.
Adding to the complexity is DevOps in the cloud. Virtualization and cloud computing offer DevOps teams the ability to deliver software releases faster than ever. Many organizations withhold mission-critical production workloads to the corporate datacenter or private cloud, but the public cloud is quickly becoming commonplace for DevOps as well. Meanwhile, hyperconvergence has radically simplified private cloud with the power to match infrastructure as a platform solutions.These advancements have transformed the datacenter into a complex, hybrid, and highly automated environment. As hybrid IT becomes standard it is even more critical to isolate and secure data in DevOps environments to ensure information protection—without significant compromises to transparency and speed—particularly for mission-critical workloads.
DevSecOps starts with securing the infrastructure platform that developers and operations teams leverage for design, testing and production. The developers’ unit of work—virtual machines (VMs), containers and machine images—must be protected against known threats, whether stored and started up on-premise or in the cloud.
While DevSecOps is a goal all should work to attain, according to Gartner’s November 2017 report, Integrating Security Into the DevSecOps Toolchain, “by 2019, only ten percent of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than five percent in 2017.”
So, what are the barriers to DevSecOps, and how can these be addressed? Below we include common roadblocks and solutions for DevSecOps.
Images and VMs can be easily created, cloned and moved from one environment to another. DevOps automated and self-provisioning models can accelerate proliferation of data to unmanageable levels, presenting a security risk.
Operational Expenditures become unpredictable with proliferation, and SecOps teams are overwhelmed with efforts to discover, identify, and decommission unnecessary or unsecured workloads.
Enforcing consistent security is complicated by inevitable human error, misconfiguration, and inconsistent adoption of secure best practices.
In rapid development lifecycles, where instances are frequently spun up and torn down within hours, residual images, backups, and snapshots containing intellectual property and/or sensitive data can easily be left behind and not protected.
Industries like financial services and healthcare face particularly strict requirements for data privacy and security in some areas of production environments, making security more challenging but ever more necessary.
Virtualization was designed for speed, but unsophisticated encryption solutions often impede performance and workflow.
So What can you do to Combat These Barriers?
Following are some recommendations that organizations can implement to help address the aforementioned issues and drive towards DevSecOps.
Protect Production Workloads
Companies should isolate and protect mission-critical or production workloads with FIPS 140-2 validated VM-level encryption.
Prevent VM Sprawl
To restrict unauthorized replication or movement of data, implement and reinforce clone controls and geo-fencing policies.
Enforce Time Management
Consider establishing time-based controls to protect against malicious access attempts after work hours.
Eliminate Residual Risk
Establish policies to revoke keys to eliminate residual data risk and securely terminate DevOps workloads when they’ve expired.
Save time by scripting and embedding encryption within VM template libraries and master images to set security and policy control by default.
Look for ways to automatically and seamlessly protect workloads at rest and in transit—seek to reduce manual intervention requirements for scaling, migrations, and backup and disaster recovery.
Separate SecOps Management from DevOps
Ensure that decryption keys are held and controlled by security administrators to separate them from the DevOps process.
DevOps is highly valuable in the race to release new software. But, without proper security controls, DevOps also presents significant risk. By taking the above recommendations into account and working collaboratively within and across teams to ensure DevSecOps principles are followed, companies are better positioned to achieve the goal of DevSecOps and protect the critical data and intellectual property they hold. SW
As VP of business development and cloud/Internet of Thing (IoT) Solutions at WinMagic, James Lapalme is responsible for global alliance partner business development and for cloud/IoT solution strategy. Lapalme has more than 20 years of experience in cybersecurity.
Jun2018, Software Magazine