By Josh Kirkwood, DevOps Security Lead, CyberArk
DevOps, the marriage of development with business operations, is in essence about collaboration and integration.
Its fundamental aim, mostly achieved through culture over technology, is to achieve smoother organisational operations through cooperation between the two business units. Today, there is increasing operational need for security to be an integral part of this collaboration. Indeed, when security is an intrinsic aspect of an organisation’s workflow, it can allow DevOps to enhance innovation.
Yesterday's problems, today
This approach contrasts with the default position, which is one where security teams can get in the way of DevOps processes. The roots of this division can be compared to that between Dev and Ops in the era of ’10 deploys a day’. Then, there was little cooperation between the two disciplines as both sides pigeonholed the other: Devs people thought too much and Ops were obstructive and said ‘no’ a lot. Once, however, it was recognised that the role of both disciplines was ultimately to enable the business and support its growth, it was perhaps inevitable that the two would merge.
The ‘us or them’ attitude that led to the Dev versus Ops standoff also led to DevOps doing its own security internally. They have found that security teams, in their role as gatekeepers, are overly cautious and say ‘no’ a lot. This hampers business development.
Security pressure points
Today, to one degree or another, most companies can be considered technology companies in the sense that the value of their offerings are derived from technology. People buy user experience rather than interest rates when it comes to choosing their personal banking, for instance. A potential consequence can be that if a business process or operation is carried out in a manner which compromises the firm’s security then the impact can ricochet and spread damage across the organisation very widely than previously would have been possible. Tougher regulations – such as GDPR – can magnify the consequences.
A case in point is the smartphone application firm TimeHop’s security breach that came to light this summer, whereby 21 million customer records were affected. In July, the company found itself having to publicly discuss a failure in its security infrastructures that saw personal identification information (PII) compromised, including customer names, email addresses and dates of birth. Typical of the type of breach that results from a siloed approach to security, an intruder acquired the log-in credentials of a TimeHop employee and used them to log into the firm’s cloud computing environment. A TimeHop spokesperson commented that the breach was an example of the risk employees can pose when an organisation has ‘poor cloud security hygiene.’
Security in the workflow
The TimeHop example highlights the dilemma facing businesses. The choice is between sticking to the status quo relationship between DevOps and security teams and living with the inherent security risks; or, instead, acknowledging the changed role of DevOps and that holistic security is essential and working to transform how the two layers work together. The latter approach is much more likely to future-proof the firm’s policy in terms of security and avoid the fate of TimeHop.
With security integrated within DevOps and all processes managed in tandem within the workflow, businesses can devote more focus on sourcing and using the right tools and maintaining an internal culture conducive to recognising and mitigating emerging security risks.
Security breaches like TimeHop demonstrate the range of routes now vulnerable to hackers in infiltrating business infrastructures. When DevOps is deployed over a wide area including, for instance, data centres and hybrid clouds, there is even greater need for a coordinated approach to security across the entire organisation.
The end goal of both DevOps and Security is the same: driving secure business growth and customer satisfaction. Although from different perspectives, in doing so they generate valuable data and insight on performance, reliability and quality.
Where once Dev built the offering, Ops ran it and Sec kept it safe from attack, today’s infrastructure environments are very different. Reflecting this, security should now be an intrinsic aspect of the workflow of any organisation truly determined to embrace leadership using DevOps as an enabler. In practice, the cooperation and integration of DevOps and security will create a harmony that can supercharge both efficiency and productivity and reinforce against the myriad security risks facing organisations today.