How do you ensure security and compliance in the fast-moving DevOps process? Security has always been a challenging proposition in the software development and releasing cycle. However, security becomes even more precarious with DevOps, which fuses the previously separate development and IT operations workflows into a single, accelerated process.
“We have a natural conflict here,” said Joseph Kucic, Chief Security Officer at Cavirin Systems. Cavirin offers solutions to address security challenges in the cloud and DevOps. “A DevOps team is under pressure to move quickly, to write and implement code. At the same time, the SecOps team is usually perceived to be slowing down the process in order to try and prevent breaches. We see this tension all the time. Unresolved, it can cause organizational trouble and increased risk exposure.”
As Kucic sees it, security can lag because reviews occur late in the DevOps pipeline. “In the worst case,” he added, “Security is an afterthought after the CI/CD pipeline is deployed. The various groups operate in silos. This creates friction, rework and the potential for error.”
The truth is, it’s even worse than that. The very nature of modern software, the kind that’s cranked out daily through Continuous Integration (CI) and DevOps, makes it more vulnerable to threats than earlier generations of code. Risk exposure arises from a variety of factors. DevOps work is often spread out across multiple geographies and corporate entities. That alone creates risk.
Then, the software often uses standards-based APIs, web services, containers and microservices. These are all great for agility, but their loosely-coupled, distributed nature makes them easy to hack. Finally, there’s cloud hosting, which decouples IT operations from the infrastructure.
None of these issues would be particularly problematic if everyone followed rigorous security policies and consistently employed countermeasures. The trouble, as one might imagine, is that the loose nature of the DevOps world makes such a goal difficult to attain.
Cavirin has undertaken a solution to these problems. They offer what they call a DevSecOps solution that injects security and compliance policies into the DevOps process. With Cavirin, developers provision and manage data center resources through software. This way, secure infrastructure becomes possible as a natural extension of coding.
Security gets integrated into DevOps through 80,000 policies, 25 benchmarks and a host of programmable security controls. The tool integrates version control and enables adherence to security and compliance policies like patch management. An API enabled architecture facilitates DevOps Security Orchestration, connecting security tools for centralized protection.
The Cavirin example shows how apparently difficult security scenarios have solutions. It’s tempting to look at DevOps and conclude that it will never be a secure process. This is not true. It can be secure (or more secure) if stakeholders are willing to take the steps and make the investments in new solutions that address new risks.