Of IT disciplines, cyber security is the only one that should never dance alone. It touches everything, from networking to application development. Yet traditionally, security has often been the last one invited to the party.
In the DevOps community, that is now starting to change. A new awareness of the threat landscape is dawning, and 2018 offers the opportunity to use the newfound collaboration inherent in the DevSecOps approach to not only build and maintain secure software, but also address the new realities of protecting a development environment more people have access to.
‘Tis the year for change – not just for your team, but for public cloud companies and security vendors as well. Many security companies have struggled to keep pace with rapidly changing cloud technology architectures around containers and server-less environments. Many also simply don’t understand the cloud, and do a poor job addressing the needs of virtualization. Meanwhile, public cloud companies are getting nervous about their liability for data breaches, as well their lack of transparency previously on their security and compliance claims. Given the realities of shared responsibility, this shouldn’t come as surprise.
So what can the DevOps community expect in 2018? Here’s a few ideas.
Prediction 1: Public cloud companies will continue to expose more infrastructure security visibility to customers as the customer continues to trend towards more server-less and PaaS (platform-as-a-service) architectures.
Cloud companies are getting nervous about breaches happening in their hosted environment, and to land large enterprise customers with sophisticated security teams, providing more visibility will become a prerequisite. Consider some of the breaches that have been in the news in the past year.
Uber, a born in the cloud software application, recently had a 2016 breach disclosed where developers left credentials in their shared GetHub environment that allowed threat actors to gain access to customer information. In another incident, a Verizon partner leaked information on millions of customers hosted in the cloud due to poor configuration. These types of incidents will continue to drive conversations about shared responsibility and security. But here’s the catch – even as those providers offer more visibility, few cloud customers will have the sophistication to consume or leverage that information.
Prediction 2: More companies will start to adopt a DevSecOps approach to orchestrating their public cloud.
Integrating DevOps and security teams brings several benefits to the table, particularly regarding automation and orchestration. In 2018, expect many organizations to turn to automation frameworks to not only handle continuous delivery but also handle security patching as part of that continuous delivery methodology. Using automation tools, DevOps teams can leverage containerization to build a whole new production prototype in their test environment. From there, they can conduct load testing, perform patching and ensure the application functions properly. If all is well, the next step is for the software development team to change scripts in the automation framework used to replicate new production environments in the virtual data center that is home to the current production environment.
When it’s ready to go live, the DevOps team deletes the current production environment and leverages the automation framework to deploy the new one, applying the code changes and patches in the span of minutes. As a bonus, any threat actor who compromised the environment loses access, reducing attacker dwell times significantly.
A key part of this will be the increased use of containers, which will also spur container security tools to become more mainstream due to the complexity involved in protecting them.
Prediction 3: Not everyone will get on board with DevSecOps, and a major data breach will be attributed to security teams being locked out of the public cloud migration plans because they are considered a barrier.
Progress does not always happen as quickly as we would like. While DevOps is gaining traction among enterprises, the security piece is often missing. The result is often poor coding practices, and ultimately a significant breach. Compounding the situation is the fact that security vendors are doing a poor job of providing the tools needed to protect virtual environments and the cloud. It is critical for security teams to focus on being a business enabler, and building lines of communication with developers, and vice versa. A strong commitment from the leaders of your organization is important as well to reinforce the culture of collaboration you are trying to implement.
Whatever surprises the next 12 months hold, remember that to outpace risk, security must be kept top of mind, and should never be the one without a partner when the music starts.
Next: Measuring the Effectiveness of DevSecOps.