Traditionally, security has been seen as a guardian against change. It has been thought of as a silo. It’s a box you need to tick. It’s a hurdle to overcome. Security inevitably comes as an almost after thought. Who hasn’t seen the penetration testing left until two weeks before go live on a 6 month project? When an issue is raised, is the go live delayed? Probably not. Just add it to the risk register.
It doesn’t have to be this way
Large organisations usually struggle with silos that create friction and inefficiencies. It wasn’t that long ago that IT organisations were heavily siloed. Only a few years ago, code was developed, tested and then thrown over the wall to Operations. The operations team then waded through a complex manual deployment procedure. The next few days were spent with the development team explaining how it worked in “their environment”. The operations team spent half their time emailing log files backwards and forwards to mop up issues. It wasn’t pretty or effective and neither team could keep their head above water. The only way was to collaborate. As a result, development and Operations teams came together and used the power of the Cloud. Defining “everything as code” introduced automation efficiencies into a single end to end approach that we now call DevOps.
Don’t forget security
Now the security team is on the outside looking in and wondering why they didn’t get an invite to the party.
There’s almost a tsunami of information for security teams to deal with in 2018. The Cloud represents a dynamic environment where the old tools and approaches to security no longer apply. How can you possibly make sense of it all and stay ahead of the attackers out there? We need to circle back to the history of DevOps. In the dynamic world of Cloud, there are two essential fundamentals for security.
- It’s borderless so you need to build defence in depth. The old adage of building a bigger wall no longer applies;
- It’s dynamic so you need to know what is happening right now. Real time visibility of your environment is essential to being confident and knowing when to react and move.
Bake it in
DevSecOps is nearly as overused a term as DevOps.
You build it. Securely. You run it. We watch you. If you think about it, the steps to follow are logical and even obvious:
- Plan your security approach from day zero;
- Bake it into your development process;
- Included security testing as part of your pipeline;
- Don’t leave security testing to a go-live readiness step.
The result is code that is more secure and has less issues. There should be no surprises here. It builds unity between the three teams. It also means that the security team who are watching the environments will no longer be occupied with cleaning up after deployments. They will spend more time ensuring the real attackers are held at bay and less dealing with the basics such as managing technical debt.
Right here, right now
In the Cloud, the 6-monthly audit from your favourite global consulting giant is no longer sufficient. You don’t have a cartography on the wall that you can point at as the landscape can and will change. Near real-time monitoring and alerting are where you need to be. Use the tools and capabilities of the Cloud providers, such as the fantastic AWS GuardDuty service, or some of the eco-system providers like SumoLogic to not only enable security but also demonstrate it in real-time. Visibility tools such as SumoLogic in particular are fantastic at contextualising your data across platform, operating system and application. They help deliver the alerts and data that really matter to your security teams.
Combine the real-time alerting with continuous security testing through someone like Rapid7 and you have a very rich intelligence for you organisation.
It doesn’t stop there
Once you have all this in place, you might be ready to automatically respond to standard security incidents. Let the machines do the work and sleep soundly in your bed. Automated response will be the subject of a future blog.
In the meantime, if something here has pricked your interest, feel free to get in contact with us and let us show you how we can enable your business through security.