This is the second part of two articles. Please read the first article here.
DevOps has made standardized application architectures obsolete. It’s time to rethink security instead.
As discussed in my last article, the days when security teams could focus on a single, standardized environment like LAMP (Linux, Apache, MySQL, PhP) are gone. In the age of DevOps, developers are making their own choices about the environments and tools that best meet their needs—with new services and layers being added all the time. As a result, security teams might not even know what the architecture looks like, much less who’s making the decisions. And security becomes just one more check box on the cloud provider’s website, instead of a well thought out strategy and selection process.
App security is too important to be an afterthought. With the threats facing modern web applications, organizations need to find a new way to ensure protection without impeding innovation. To move forward, security and DevOps will need to work together to solve the challenges they face—in terms of both security and organizational politics.
The politics of decision-making
In the old days, the politics of decision-making were straightforward: security controlled technology and that was that. People didn’t have to work together to make decisions. This kept things simple, but it also meant that there was no need or opportunity for a more collaborative decision-making culture to evolve. Security didn’t have to care how developers felt about the decisions being made for them, and developers had no reason to try to see things through security’s eyes.
While security teams have largely remained within this silo, however, developers and operations teams have been developing a more collaborative culture among themselves. The cornerstone of DevOps is having multiple groups work together to solve problems. Developers are more attuned to how their apps will behave in production; operations professionals have more visibility into the software development lifecycle. And technology decisions are being made by the people whose work is most impacted by the choices being made—developers, operations, and DevOps.
CISOs can try to build back some semblance of control and have decisions made by large, integrated teams including both security and developers, but we’re a long way from that now. The world of DevOps is likely to remain messy for years to come. Security can’t just wait it out and hope that standards and formality will emerge over time. We need to find a new way to solve the problem—not by trying to control Dev and DevOps teams, but by allowing them to make their own choices while still maintaining security.
Here are four ways CISOs can advance security in the age of DevOps.
1. Form strong partnerships
As a first step, security needs to form strong partnerships with Dev teams. In the past, the lines of politics and decision-making were drawn such that these teams didn’t have to talk to each other—and preferred not to. Each saw the other as an adversary actively working to undermine their agenda. Now it’s time to get the heads of Dev, Ops, and security at the table so they can begin to communicate. Developers can explain to security what they’re doing and the technologies being used, and security can explain how and why to secure it. By creating better lines of communication from the top down, these leaders can start to change the counterproductive culture of opposition.
2. Ask the right questions
Once Dev, Ops, and security have started talking, they’ll have many fruitful points to cover. Who decides which security tools get installed, where? Whose budget will cover it? Who will make sure things are installed properly? Who will run it day-to-day? In the days when security had its own network layer all to itself, questions like these were moot. In the modern technology environment, you need to make sure everything is spelled out so that nothing falls through the cracks and misunderstandings are prevented.
3. Build trust
Given the traditional dynamics of the Dev-security relationship, CISOs and Dev leaders will need to focus on building a more harmonious way of working across their teams. This means both understanding and respecting each other’s viewpoints and priorities—why fast, agile development processes are vital for digital success, the real threats and business risks driving the security agenda, how each team has made life harder for the other in the past. You don’t have to go as far as teamwork retreats and trust falls, but don’t underestimate the value of taking the time to cultivate a new model of integration and teamwork.
4. Make it easy for dev and ops to play nice with security
Politics aside, no developer actually wants their application to be breached. They do want to deliver secure code—they just want it to be easy to do so, without slowing or complicating their work. Providing this capability can be a powerful enticement for Dev and Ops to buy into the new model. By offering security tools that work well natively with the development tools they’re already using, you can allow architectural flexibility while making it easy for them to work with the controls you need to have in place.
The standardized application architectures and top-down security of the past are likely gone for good—and that’s a good thing. By allowing developers to exploit the full flexibility and diversity of the cloud ecosystem, organizations can drive digital innovation and competitiveness faster and farther than ever before. And by making security a seamless part of that effort, they can do it without increasing risk.