Naysayers contend DevOps weakens security, others say DevOps enhances security.
There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can’t keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside.
Early proponents of DevOps always have argued that when done right, DevOps can actually improve security. When it comes to the positive impact of DevOps on security efforts, Justin Arbuckle, vice president, EMEA, and chief enterprise architect at Chef, doesn’t mince words. Arbuckle also was formerly chief architect at GE Capital, where he was a big proponent of Agile and continuous delivery approaches to software development.
Arbuckle says that many, if not most, organisations today simply are not developing resilient software or infrastructure or even maintaining regulatory compliance — and that they never will be able to actually automate as much of the software security and regulatory compliance checks as they can without moving toward DevOps.
“I think a lot of what we think of as being compliant today is a complete myth,” says Arbuckle, who contends that there are so many security and regulatory compliance checks that large enterprises typically have to check that they just can’t keep up. “They have to trade off between ‘It’s good enough, we’re ready to go’ and ‘We’re not going to go anywhere until we’ve literally crossed every T and dotted every I,’” Arbuckle said in a recent interview.
Arbuckle is even more uncertain of current enterprise claims when it comes to managing their security risk posture. “I think the number of organisations that can count fully detailed, fully implementable — and that’s the key word, ‘implementable’ — security policy by their infrastructure people on one hand,” he says.
According to Arbuckle, security teams trying to keep up with security threats have to learn and respond as they go, and the result is that security policy tends to lag the threat. “The only way for the organisation to catch it is through this process of documentation, policy, and checks. And through it all, they know that the standard is nonsense because it’s out of date by definition. So they have to create a point-in-time review, which brings velocity to a halt,” says Arbuckle.
DevOps naysayers contend, however, that DevOps also risks automating the wrong processes, or poor metrics move the organisation away from measuring actual security and compliance risks to only measuring those risks and threats that they can easily measure, thereby creating a false sense of security that itself can be dangerous.
Andrew Storms, Vice President, Security Services at consultancy firm New Context, says that while some concerns about moving too fast to DevOps are valid, many of them come from a place of fear. “Much of it really is rooted in fear. They see that the organisation has brought together the developer and the operations team and they fear that everything will become the Wild West,” Storms says. “However, we’ve shown over and over through the years that bringing these teams together actually has huge positive impact.”
While security processes tests always should be an integral part of DevOps workflow, that isn’t a reality for many organisations. They’ve always struggled to properly integrate security, and those challenges certainly persist through transitions to DevOps. But Storms says that DevOps provides an opportunity to more tightly couple security into the workflow. “One of the best ways to bring DevOps and security together is to utilise the tools and the processes that DevOps really excels at and apply them to security,” he says — “things like automation, orchestration, and instrumentation. Let’s use those tools to build these closed-loop security systems where everything’s automated and everything’s predictable. That’s a way we actually can fulfill the security requirements in an automated fashion with fewer resources.”
One success story that Storms cites is a healthcare company in the Northeast. “It has had serious compliance and security requirements so it performs continuous deployment. The company has extensively automated its security and compliance tests and the auditors are happy,” he says.