DevOps, the extension of the Agile movement to bridge the gaps between operations and development teams to create better applications on a faster basis, is growing in leaps and bounds, but that just means the opportunities for security problems are growing too, according to Nimmy Reichenberg, Vice President, Marketing and Business Development, AlgoSec. Agility is the name of the game, and it shouldn’t stop at DevOps, he said. While stability and availability of critical applications must be at 99.999% or better, new features and functionality need to be churned out faster, but with security added into the DevOps mix, organizations can achieve that improved agility and operational excellence while improving the necessary checks and balances before changes are pushed in production.
“Security is still bolted on, even in DevOps,” said Reichenberg. “Because it is bolted on, or an afterthought, the result is one, a business agility issue, and two, a security issue.”
AlgoSec, the maker of security policy management tools, has just released a new study finding that application connectivity management challenges are impacting security and business agility.
Critical business applications fuel today’s data centers, but security teams lack visibility on how security activities impact the business, said Reichenberg, in a prepared statement. “As a result, provisioning connectivity for data center applications is time-consuming, severely hampering business agility and increasing the risk of business disruptions and security breaches caused by errors in firewall configuration… and as our study shows, these challenges are magnified when migrating applications or entire data centers to the cloud.”
When it comes to data center apps, speed and agility tend to be among the missing. Half of the respondents require more than 5 weeks to deploy a new data center application, while a 25% require more than 11 weeks. Nearly half (45%) have to manage more than 11 business application connectivity change requests every week, and 21% must manage more than 20 changes per week, but 59% say it takes more than 8 hours to process each application connectivity change request with 31% saying it takes more than one business day per change.
In a recent blog, Reichenberg said security has been viewed traditionally by the development and operations teams as a bottleneck because security by nature is to add checks to the process of making changes and pushing out new capabilities. By including security into the DevOps model, organizations can attain that improved agility and operational excellence while also improving the necessary checks and balances before changes are pushed into production. Throw in the growing interest in next-generation infrastructure and the movement from physical data centers to private/hybrid clouds, the integration of security with DevOps becomes even more important.
“We talk to customers who have weekly blame-storming meetings. That’s something the DevOps movement is supposed to improve.”
Reichenberg said he thinks most organizations are doing something about security and DevOps, but they’re not doing enough. “Whatever shade you choose, DevOps is absolutely necessary. The concept of deployment not being an afterthought to product development, and security not being an afterthought to product development is critical.”
Our vision is to help organizations manage security at the speed of business, he said. “Security is notorious for people saying No! It also has been notorious for slowing down the business.”
Under The Hood
Reichenberg said organizations need to look at the three Cs when it comes to integrating security into DevOps.
–Collaboration: Collaboration between three disparate, yet linked teams is important, especially when considering the process for making security changes. Instead of working in silos, if all of the key stakeholders understand and are involved in the change process from the beginning, you can ensure the proper checks and balances and provide the proper visibility from all angles (i.e. application connectivity needs, security and compliance checks, and broader network requirements). Improving the collaboration between these teams doesn’t only enable a more secure and agile network environment, but also provides opportunities to examine other strategies to further improve the business. Automating more processes can aid in forcing collaboration – as well as communication, which we’ll look at next.
Communication: According to a recent survey of approximately 620 enterprise engineers conducted by RebelLabs, traditional IT Ops teams require 41% more time for communication and 26% more time for firefighting than DevOps oriented teams. They also spend less time on task automation and infrastructure improvements. Communication obviously is tied tightly with collaboration – hard to have one without the other. No more is this readily apparent than in the security change process, where an application owner may request a connectivity change, network operations must process the change and security must ensure the change is made in a secure manner that doesn’t create new risk.
Co-ownership: The DevOps model embeds each team more into the fabric of the other. Developers shouldn’t simply throw code over the fence to operations to push into production and operations shouldn’t stay away until code is ready to be implemented in a production environment. The same goes for infosecurity. The information security team should be involved with the developers from the start to make sure the application code is secure and with operations to ensure that changes pushed into the network don’t create new risk. Sharing the responsibility across these teams facilitates teamwork and helps improve the process around publishing new functionality as well as demonstrating compliance, security enforcement, and operational efficiency.