DevOps Security Is As Disruptive As It Is Uncomfortable

David DumasDevOps Automation, Strategy and Planning

devops security

Security is a growing concern among businesses of all sizes. From small outlets to large Enterprise organizations. In looking at how DevOps can make an impact in this area, it’s important to keep in mind what DevOps “is” and what it “isn’t.” DevOps security can be an important focus, but it has to be done the right way.

What Does DevOps Security Look Like?

DevOps is a lot of things. It’s a tool, sure, but it’s not “a” tool. It’s not a program or a piece of software. Rather, it’s a lot of them. And more too. That can be difficult to wrap your head around in a world where many high level executives want to know “what is it” “what does it cost” “how long doe it take” etc.

The truth is all of these things and none of these things. DevOps, in basic terms, is a combination of people and processes that includes the infiltration of software engineering tactics, skills, patterns, etc into the operations of the application into the production environment.

In short, it’s a lot of things.

It’s no surprise then that security is an arena that DevOps is starting to make headway into. The same patterns and processes we’re having to layer on top of operations, we need to bring to the security field as well.

Why? For one thing, it’s to the advantage of the business to do so. We live in a fast-paced environment. It’s only getting faster. Being able to develop and deploy operations iteratively, quickly, rapidly, means all areas need to follow suit.

Security in this scenario cannot be seen as an afterthought. Nor can it be seen as a component which will be omnipresent regardless of other factors. We can’t think of security as simply a locked door. Regardless of what goes on inside, the door remains locked and that’s that.

No, the whole process has to change. And with that, requires a change in thinking as well.

It’s not just about new tools. Sure, that can be part of it. However, we also have to change some of our fundamental assumptions of what the security landscape looks like.

Altered Perceptions And Expectations

Here’s an example of what we mean by changing our approach and assumptions. We used to track logins to a server. Makes sense, right? And because “we’ve always done it this way.” However, we don’t need to do this anymore. There are numerous ways to approach access now. Many are more productive, secure, faster, and more.

The idea that we need an interactive login as the base assumption of security vector management is outdated. Still, it intuitively makes sense to continue to use it so why change?

After all, we just want to control access, right? And if that’s the front-line of defense for our security apparatus, we’ll just track logins. Simple enough. However, it doesn’t have to be that way.

It’s Not About The Tools

Or more accurately, it’s not just about the tools. DevOps security starts with asking the question “do I really need them in the first place?” Just to be clear: we’re not advocating an anarcho-tech landscape where nothing matters and nothing is important. Sure, some tools are always needed.

However, in the case of interactive login, this one basic function isn’t as needed anymore. And just acknowledging and moving on from that starts things in the right direction. It goes from complicated heuristics and rules that come from years and years of tools and learning to a shift to “let’s cut it off.”

Logins? Who needs logins? No one. We don’t need them. Not anymore.

Change Is Tough

However, that critical change is hard to push through because you’re fighting learning and established tooling. You’re fighting the “we’ve always done it this way” mentality and the “well, it works” mentality.

You’re also fighting organizational philosophy that typically shies away from disruptive change. In the end, it’s not just about buying the products or using the tools. It’s about the process, the approach, and the people which make it happen. More importantly, it’s about bringing all of those things together and having them work in unison while at the same time adopting a new overall approach.

It’s not just about how engineering steps up, or how operations and management step up. It’s more about how all of those disciplines have historically split into these silos and we’ve allowed it do so where we can’t make changes fast enough for business anymore.

Which is really what a DevOps security approach, and DevOps in general is all about solving. Security is critical. And it needs to shift from gatekeeper to enabler in order to develop alongside other arenas.

That’s a hard shift to make. However, it’s one that can make or break an organization in today’s landscape.