DevOps and Security

Companies are now realizing that there is a need to reassess how they deal with the compliance regulations put in place following the 2008 financial crisis. We see a trend that auditors and financial institutions are working together in assessing what is mandatory, and streamlining the process so as to create some more ‘breathing space’ for the DevOps teams to operate in. In parallel specialized IT security teams are being set up that are deployed to those DevOps teams that are working on IT changes that meet corporate requirements. The decision for these security teams rather than dedicated security individuals within the DevOps teams themselves would seem to be dictated by the scarcity of skilled security professionals on the market as well as a lack of work within the teams to validate the dedicated security professional.

High Tech and Products driven companies are moving away from compliance driven security and towards risk based security. Whereby the process is to determine the risk appetite of the organization and then translate this into policies and technologies. These companies are more often than not faced with a need to get products to the market sooner than their competitors. This places very different demands upon the DevOps process and the need to streamline the integration of security and DevOps; security by design. Ideally within these companies the risk appetite will be instilled within the companies ethics and as such with all the employees. The internal conflict here is between the need to create secure products and the need to be first to market. These companies have often given the security organization the ability to block the release of any product that exceeds the risk appetite of the company regardless of what the product owner might want. This approach results in a close cooperation between security, product design and the DevOps teams so as to reduce any delays later on in the process.

It is generally accepted that the DevOps way of working leads to faster results that are able to adjust where needed to meet changing demands, and as such this way of working will continue to move out of the IT/product development world and into the larger organization structure. Similarly companies are also aware that it is no longer a question if there will be a security breach but rather when and that it is therefore key to always stay one step ahead. Concluding that ideally security would be a standard part of the DevOps way of working. However as long as product owners push to reduce time to market or organizations are compliance, and thus administration, driven we will continue to see that security is experienced as an inhibitor rather than an enabler in the DevOps process. Despite this, companies are and should, continue to strive for a true ‘secure by design Devops culture’.