DevOps to SecDevOps for securing business acceleration

Co-authored by: Anju Rachel Thomas

The ultimate business operations case for hybrid cloud can never be better illustrated than in the present context. When the unanticipated COVID-19 situation called for swift adoption of remote workplace practices and necessitated mission-critical personnel to work from the safety of their homes, organizations were met with crucial and unforeseen challenges of scalability, flexibility, and agility in forms that hindered the successful recalibration of business operations.

DevOps to SecDevops for securing business acceleration

Heavy dependence on traditional infrastructure and business operations in some organizations made reliable and secure access to resources from distributed locations extremely challenging. Even those enterprises that employed cloud applications at a departmental level went under the radar. The need for highly responsive application services to facilitate increased demand, flexibility, and computing abilities could not be fulfilled due to the sudden peak in demand for digital channels and services. This forced many a large enterprise to reconsider their IT landscape and transition to an environment that is agile, scalable, OPEX-oriented, and offered optimum performance and business continuity in the face of disruptions aka the hybrid cloud  .

But the transition to hybrid cloud alone was not sufficient. It needed new ways of development, operations, and securing their environments due to the increased digital and virtual footprints. In a bid to gain competitive advantage during these times, organizations were quick to inculcate DevOps practices, an intensive collaboration between development and operations for faster application delivery thereby fulfilling the digital objectives faster. The DevOps methodology enables developers to take control of the production infrastructure and prioritize application delivery. DevOps and hybrid cloud share the same end objectives of bringing agility, flexibility, and scalability to reduce the risk of failures, avoid downtimes, and enable faster time to market.

There is no doubt that the DevOps culture improves the adoption of hybrid cloud with a reduction in failed initiatives by more than 60%. But these apparent benefits may turn out to be double-edged – if the ability to deploy faster translates to security implications, what will be the workaround?

Shifting Left and SecDevOps

In the pursuit of faster development and deployment, security often becomes an afterthought. Though unintentional, the very extent of infrastructure employed by large organizations in a distributed fashion impacts visibility and control at times. Here, administrators are rendered unable to enforce security measures regularly through manual patching or configuration management. This is only the beginning of the problem. It further escalates into potential compliance violations for regulated industries and threats to data security, while at rest and in transit. Even the presence of an assortment of heterogeneous systems from multiple vendors comes with its own unique set of challenges. Such a situation calls for implementing data security as a culture, at every layer and phase of development lifecycle.

The idea of integrating data security into the entire continuous integration/continuous development  pipeline introduces terminologies such as SecDevOps, DevSecOps and DevOpsSec into the foyer. To clear the air, the changing positions of ‘Sec’ only indicates the priority assigned to security in the SDLC process. What aligns most with the intent to deploy applications with limited vulnerability is to place security at the earliest possible stage, i.e., left most, making SecDevOps, also known as Rugged DevOps, the right term to be used and pursued.

SecDevOps should not be considered as an alternative to DevOps. Rather, it is a necessary extension to the DevOps pipeline that gives security the utmost importance. In addition to promoting secure coding, this discipline aims at eliminating the cost-intensive security escalations that arise post release.

Making Security Possible: Five Ways

The use case for SecDevOps is gaining momentum as cutting-edge technologies such as Serverless Containers, Function-as-a-Service, Quantum Computing and OmniCloud reduce the latency between coding and deployment to the cloud. Here are some salient features of SecDevOps that enables it to equip the cloud infrastructure for continuous transformations at an agile pace.

1. Automation for the win: SecDevOps has two key elements, the first being Security-as-a-Code (SaaC). This refers to embedding security standards into various stages of the DevOps pipeline, a process made possible through automation. In fact, automation is the guiding light to attain ideal security standards. It offers speed, accuracy, consistency, and removes the chance of failures caused by human errors. End-to-end automation for all development and operational steps – from continuous integration, testing, deployment, and monitoring to provisioning virtual machines, configuring firewalls, and monitoring – helps the security team identify control failures quicker, thereby reducing exposure and consequently risk. It also leaves sufficient room for critical issues like threat remediation to be handled by security specialists. An identical treatment applies to Infrastructure as a Code (IaaC), the second element.
2. Communication times three : As is the case with DevOps methodology, SecDevOps too recognizes constant communication and collaboration for an increased production speed. Strong feedback loops that provide regular and reliable reports become a backbone for successful security implementation.
3. Developers as security proponents: The SecDevOps way demands that developers take ownership of security for the code they write. Training software programmers, architects, and operations and equipping them with the right tools are often undertaken by security teams who are also responsible for creating security policies and practices for the entire organization. A cultural paradigm to inculcate security is required at all levels including leaders and mid-level managers within the enterprise.
4. Continuous auditing and monitoring: While auditing code is fully automated through scripts, composition analysis, and static and dynamic analysis etc., security codes are reviewed in a timely manner through manual and automated processes. Alerts and dashboards enable continuous monitoring, and delegating real-time remediation is a function of automation.
5. Defining security playbooks: SecDevOps clearly lays down the responsibilities and accepted practices must be followed by every member of an organization before, during, and after a security incident. This provides a way for the right team to deduce the reason for failure and ensure appropriate response mechanisms and preventive measures are implemented.

To summarize, the DevOps pipeline with hybrid cloud infrastructure is fast becoming the standard for process transformation for large organizations, simply because this practice is critical to reap the benefits of agility, scalability, and high performance offered by a multi-hybrid cloud infrastructure. However, the success of this cloud infrastructure investment calls for another crucial element to be factored in – security. SecDevOps is a practice that has evolved from this need to build a well-rounded system derived from DevOps practices with the addition of Security as a Code. Remember, SecDevOps is not a one-size-fits-all, quick fix to modern IT security needs; rather it is a three-pronged technology-process-people approach powered by automation that needs to include a cultural shift as well for business acceleration.