THANK YOU FOR SUBSCRIBING
DevOps and Security
By Nadeem De Vree, CCO & CIO, NN
DevOps is the process where teams are responsible for both the development and the operations part of an application. A continuous process that makes incremental changes to the environment seeking to increase and/or improve functionality.
On the other hand Security achieves its best results within a controlled or stable environment. Where the security measures adapt as technology advancements allow for more efficient protection.
It is this conflicting situation that most companies find themselves in, regardless of if they are financial organizations that are compliance driven or high tech/products companies that are more risk focused. Financial organizations need to make sure they comply with regulatory demands. They have a strong compliance based culture where any changes that could affect the reporting or stability of the company and its customers needs to be tested and documented. The result is that the fast paced DevOps way of working is slowed by a need to document and get the needed signatures and at times waivers.
Financial Organizations have a strong compliance based culture where any changes that could affect the reporting or stability of the company and its customers needs to be tested and documented
High Tech and Products driven companies are moving away from compliance driven security and towards risk based security. Whereby the process is to determine the risk appetite of the organization and then translate this into policies and technologies. These companies are more often than not faced with a need to get products to the market sooner than their competitors. This places very different demands upon the DevOps process and the need to streamline the integration of security and DevOps; security by design. Ideally within these companies the risk appetite will be instilled within the companies ethics and as such with all the employees. The internal conflict here is between the need to create secure products and the need to be first to market. These companies have often given the security organization the ability to block the release of any product that exceeds the risk appetite of the company regardless of what the product owner might want. This approach results in a close cooperation between security, product design and the DevOps teams so as to reduce any delays later on in the process.
It is generally accepted that the DevOps way of working leads to faster results that are able to adjust where needed to meet changing demands, and as such this way of working will continue to move out of the IT/product development world and into the larger organization structure. Similarly companies are also aware that it is no longer a question if there will be a security breach but rather when and that it is therefore key to always stay one step ahead. Concluding that ideally security would be a standard part of the DevOps way of working. However as long as product owners push to reduce time to market or organizations are compliance, and thus administration, driven we will continue to see that security is experienced as an inhibitor rather than an enabler in the DevOps process. Despite this, companies are and should, continue to strive for a true ‘secure by design Devops culture’.