DevOps shift requires new security approach
9 September 2015 | 0
DevOps has been a popular topic in IT circles over the past few years. It is important to understand that DevOps itself is not a product or a market. IDC will not be forecasting the size of the DevOps market anytime soon (although they do forecast DevOps tools) because DevOps is a philosophy for running IT.
DevOps is a software development method that aligns application development with IT operations. To fulfil the vision of DevOps, IT has had to adopt a number of new tools and technologies. Some examples of these new tools are automation tools, containerisation and orchestration platforms. The DevOps process is radically different than legacy processes, so it makes sense that IT departments would need new technologies to support this shift.
What about security, though? How has that changed? The fact is that security has lagged behind when it comes to enabling the transition to DevOps. Security start-up Illumio developed its product with an eye towards solving the DevOps security challenge, according to CTO PJ Kirner
Kirner recognises the adoption of DevOps creates more security risk for organisations. As he put it, the primary drivers of DevOps are agility and speed of development. For most organisations, this means many smaller projects that can go from concept to development to deployment much faster than traditional applications. It also means more de-centralised control, as many different teams can run these smaller projects simultaneously.
For the security team, this poses many problems. The first is that understanding the risks becomes much harder and more complicated. With traditional IT, development and deployment times can be long, and the security team has the time to harden security at the end of the development cycle. With DevOps, getting visibility into the possible security gaps before an application is launched is more complicated because there isn’t the time to take weeks or months to ensure the security is hardened.
Automation is one of the cornerstones of DevOps, so it stands to reason that security also needs to be automated. However, with traditional security tools, there are some significant challenges with automating security using DevOps practices. This includes:
- Security policies are dependent on inflexible network parameters. This leads to rigid security architectures that cannot adjust to application or infrastructure changes.
- A massive amount of firewall rules need to be reviewed when the environment changes or new applications are introduced. Typically, these rules are reconciled manually, which can often bring the process to a screeching halt.
- Traditional security products lack the APIs required to automate security management and integrate into DevOps tools.
- No visualisation tools to “see” configuration changes before they are implemented. The lack of visibility makes it challenging to make an informed decision on security.
Kirner described why there should be urgency around IT to automate security with DevOps. His reasons include:
- Ensure security is no longer the bottleneck
- Security teams currently need detailed visibility into their computing environments to accurately assess security gaps
- Security balanced with the business goals in a continuous software delivery model ensures better alignment with business goals
- Rapid application deployment through standardised security configurations
- Better-performing infrastructure and operations teams as they are no longer fighting fires and working with unrealistic time frames
Solving these challenges requires a security tool built specifically with DevOps in mind. Kirner listed five attributes that DevOps aligned security tools require:
- Security policies that use application context instead of relying solely on IP addresses, enabling DevOps to define and include security changes at every phase of the application lifecycle instead of just at the end
- APIs that enable security to integrate with third-party orchestration tools like Puppet and Chef
- Live visual verification of security policies prior to the enforcement of them
- Enables applications to automatically inherit contextual policies
- Faster application development time since developers no longer need to wait for security policies to be added after development is done
Despite the security challenges of making the shift to DevOps, Kirner was bullish on the philosophy and feels there is tremendous value in it. The key is to think about how to bring the same level of agility to security as the rest of the application development cycle has.
Zeus Kerravala, IDG News Service