BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles Five Lessons Security Can Learn from DevOps

Five Lessons Security Can Learn from DevOps

Bookmarks

Key takeaways

  • The speed and scale enabled by DevOps creates new challenges for security teams.
  • Security professionals must incorporate DevOps principles into their tools and workflows to keep up with modern application delivery.
  • Security solutions should be built and deployed using the same modular, automated, and scalable technologies favored by DevOps.
  • DevOps concepts such as standardized configurations, immutable infrastructure, and mirrored systems can help eliminate security complexity.
  • DevOps-style transparency and accountability are key to ensuring effective collaboration within security teams.

 

As DevOps becomes increasingly crucial to the modern enterprise, security professionals must ask themselves what they can learn from this culture shift. DevOps is a blend of organizational ideas, processes, and software tools that has enabled some of the world’s largest companies to improve productivity, achieve faster time to market, and deliver higher quality products that impact their bottom lines at blazing speeds. Enterprises like Netflix, Google, and Amazon are examples of high-performing, agile organizations that consider DevOps to be foundational to the success of their digital businesses.

Companies with effective DevOps practices understand that in today’s technology-driven, winner-take-all competitive landscape, a business’ success often depends on its ability to continuously learn, innovate, and deliver cutting-edge, customer-delighting products faster. At the same time, this creates challenges for other organizational functions such as security. Delivering distributed applications more quickly and easily substantially increases risks to businesses if they cannot be secured at the same speed at which they are deployed and scaled. Security workflows, tools, and operations must change to keep up.

More recently, the need to balance DevOps speed with existing security requirements has resulted in a model called DevSecOps. DevSecOps is based on the principle that “everyone is responsible for security”. It emphasizes how application developers can build security checks into their integration and deployment pipelines. But DevSecOps has focused far less on security during runtime, which is when the business’ applications and data are most vulnerable to attacks. Runtime security encompasses all types of threats once an application is running and includes functions such as attack detection, incident response, and policy enforcement. These functions today still largely rely on siloed tools and manual workflows. Additionally, runtime security cannot and should not be the responsibility of everyone throughout the enterprise - instead these functions are best handled by security professionals.

Besides building security into DevOps workflows, security teams should evaluate how they can incorporate DevOps principles into their tools and processes. Here are five DevOps practices that security professionals can learn from.

Build modular systems

Key to the DevOps philosophy is building systems that can be more easily managed by small teams. Many of the tools and approaches used by DevOps teams favor applications that are assembled in modular fashion. Some examples include microservices architectures, container technologies such as Docker, and 12-factor application methodology. Microservices enable developers to focus on optimizing individual application pieces that interface more easily with other systems via APIs. This streamlines development, integration, and deployment.

Security lessons: Today security teams must grapple with a patchwork of dozens of security tools that do not easily integrate with each other. Architecting security for modularity will dramatically reduce the operational complexity, time, and costs of integrating and managing these solutions. Security professionals should look for new tools that are built using the same frameworks that enable modular application development. Security delivered using microservices running in Docker containers can be easily distributed across entire clusters of applications, orchestrated by systems like Kubernetes, Mesosphere DCOS, or Docker Swarm. This means security tools can blend in as just another set of applications that are automated and orchestrated alongside the applications they protect.

Depend on automation and scalability

The overriding goal of DevOps is enabling greater speed and agility to better serve customers. Teams achieve this goal through high levels of automation and scalability designed to make infrastructure fully programmable. For example, Netflix has focused on automating the company’s entire software release platform so that it can scale on-demand to thousands of servers in minutes to ensure that customers always have access to their content. Automation has the added benefit of reducing the likelihood of manual operator error, which is a frequent source of costly service interruption or downtime.

Security lessons: Security’s mandate is to mitigate the risk and impact of attacks on the business. Achieving automation enables faster time to detection, which gives security teams more time to optimize response and recovery. As new applications are continuously deployed and scaled at the speed of the cloud, attack surfaces can scale and constantly change just as quickly. Thousands of microservices applications may be launched or destroyed within the span of a few seconds, leaving gaps in visibility and data collection. Security tools must build in automation and scalability to keep up with these new application delivery models in order to minimize potential attacks while preserving existing developer toolchains at the same time. Automating the runtime security lifecycle also mitigates the likelihood of configuration errors that attackers can potentially exploit, helping to reduce security incidents. Relying on traditional, fragmented, manual security processes is no longer sufficient.

Use standardized configurations

In DevOps, teams take advantage of consistent baseline configurations to help identify operational issues more easily. Teams package up “infrastructure as code” in the form of base images, applications, and dependencies needed to run services. This ensures systems are identical and reproducible to drive better operational hygiene. Monitoring for deviations against standardized configurations allows operators to quickly identify and troubleshoot issues. Treating infrastructure as “immutable”, so that running systems are never re-configured, is increasingly becoming a best practice that is facilitated by the adoption of application container technologies such as Docker. Running systems are simply replaced with new ones that incorporate any desired changes. This approach allows teams to easily stop problematic systems and re-launch into known, good states at the same time.

Security lessons: Security teams can similarly implement approved security configurations, fingerprinting, and profiling to surface potential issues. These standardized configurations are expected to correspond to normal system activity. Runtime activity that diverges from normal settings can be used to recognize anomalous or malicious patterns that reflect live attacks or indicators of compromise. When such activity is detected, security teams can treat infrastructure as immutable to quickly stop impacted systems and launch new, unaffected ones without having to deal with the complexity of patching live systems.

Maintain an auditable “source of truth”

DevOps culture helps foster greater collaboration across teams by using techniques like revision tracking and version control to maintain full transparency, improve change management, and streamline system recovery. Modifications to configurations are recorded to capture details such as when the change occurred, who requested the change, and the impact of the change. Using this approach, development and operations gain deeper visibility into the complete lifecycle of both applications and infrastructure, which helps facilitate better cross-functional communications and greater accountability.

Security lessons: Security teams should ensure they implement tools to collect comprehensive data from all systems to maintain an actionable “source of truth” that is readily accessible. Today most datasets are either siloed or aggregated in a centralized SIEM system without the necessary modeling required to make them actionable. Even outside of use cases such as governance and compliance that require audit trails, capturing every change to any rules, configurations, and security policies helps streamline collaboration and accountability within security teams. Security professionals, who may each focus on specific parts of the runtime security lifecycle from configuring instrumentation to forensics, can more easily take coordinated action when security incidents arise.

Leverage mirrored, active-standby deployments

Blue-green deployments are often used by teams to minimize downtime. This technique leverages two identical production environments, where at any given time one is active and the second is on standby. New releases are only tested in the standby environment. Once the changes are verified, the standby environment is activated, and the active environment is switched to standby. This allows teams to safely roll back new releases if unanticipated bugs or operational issues are encountered without ever having to make changes to any live systems.

Security lessons: Security teams can also apply the same techniques to patch management and security updates. They can test fixes on mirrored systems before releasing them in active production environments. For example, some operating system vendors now utilize dual active-passive root partitions to enable simplified patch management with the ability to safely roll back versions if required. Additionally, this has the added benefit of ensuring higher system availability, which falls under the Confidentiality, Integrity, and Availability (CIA) framework for security management. Security teams can take advantage of this approach to first observe the stability and efficacy of fixes that are meant for production environments. They can ensure that security issues will be fully remediated before implementing them at large scale.

Conclusion

Businesses of all sizes today are seeking greater agility and speed to fuel digital transformation. By embracing DevOps, application developers are empowered to focus on what they do best: building and shipping new software. Security professionals should also continue to focus on what they do best: keeping attackers out. Just as DevOps emerged to meet new business needs, new approaches in security are now needed to address the challenges of a DevOps-driven world. These new security approaches themselves must incorporate DevOps practices that rely on modularity, automation, standardization, auditability, and mirrored systems. By applying these five DevOps principles to new tools and workflows, security can be a major differentiator that helps businesses succeed in today’s fast-changing market.

Author Bio

Wei Lien Dang is VP of Product at StackRox, a security company building a new platform to protect modern enterprise applications. Previously, he was Head of Product at CoreOS and held senior product management roles for security and cloud infrastructure products at Amazon Web Services, Splunk, and Bracket Computing.

Rate this Article

Adoption
Style

BT