Welcome!

@DevOpsSummit Authors: Liz McMillan, Mehdi Daoudi, Elizabeth White, Jason Bloomberg, Pat Romanski

Related Topics: @DevOpsSummit, Java IoT, Linux Containers, Wearables, @CloudExpo, Government Cloud, FinTech Journal

@DevOpsSummit: Article

Integrating Security into #DevOps By @ScriptRock | @DevOpsSummit

Security John goes through a mental breakdown before finally understanding how to adapt and survive

Three Steps for Integrating Security into DevOps

The fate of CSO John in The Phoenix Project is a good parable for illustrating the dynamic and often conflicted relationship between Security and IT Operations. Security can either become a separate, obscure, and increasingly irrelevant group that everyone else resents-sounds pretty good, huh?-or it can be integrated into broader framework of the development cycle. Security John goes through a mental breakdown before finally understanding how to adapt and survive, but it doesn't have to be that hard.

Security and DevOps

Before the rise of DevOps, strong functional distinctions were supposed to help groups focus on their core competencies. Developers wrote code, operations provisioned and maintained infrastructure, and security found holes and worried about all the vulnerabilities they knew hadn't been fixed yet. This separation of knowledge, however, created inefficiencies. Problems that would have been cheap to fix during development became expensive once they had shipped.

The name "DevOps" can lead to the naive conclusion that it's just about bridging the gap between development and operations. DevOps is much more than that-it's a holistic approach to collaborating and sharing information across functions that makes everyone's lives easier and the business more successful. Or, as Mike Kavis observes, the goal is really just to be better. DevOps provides an umbrella term for a range of techniques that have worked for many people. Any way you slice, it, DevOps means thinking about making quality software quickly-and that definitely includes security.

1. Configuration Hardening

So where does security fit into DevOps? Insomuch as DevOps is associated with tooling, it has largely been about configuration management (CM). Chef, Puppet, Ansible, SaltStack, Docker-these tools commonly come up in conversations about "doing DevOps" because they abstract configuration state into versioned code. Since CM is already a well established and supported component of DevOps, it's as good a place as any to start. Activities like checking for compliance with best configuration practices and applying updates system-wide should be a natural part of the DevOps process.

2. Policy Driven Development

Rather than CM being handled differently by development and Ops-or handled by Ops only--CM with these tools (in theory) provide a means to collaborate on shared concerns. That's not always the case, of course. All too often CM tools become the domain of a specialized "DevOps team" that actually worsens your bus factor. But given that collaboration and shared knowledge is the goal, the same applies to security vis-à-vis CM. A useful model is that of policy driven development: publicly visible, executable documentation of what security compliance means for you. In the same way that test driven development means anticipating user acceptance testing, policy driven development means anticipating and addressing security requirements.

3. Visibility

Strong safety nets like effective rollback/failover plans enable teams to move faster because failures are caught immediately in low-risk environments. This is the philosophy of the Visible Ops Handbook-brakes don't make a car slow, they let it go fast. The same type of detective controls and system scanners that let teams safely adopt a DevOps deployment approach are also the most effective for traversing the harsh, unforgiving landscape of IT security. New vulnerabilities are discovered constantly, whether you're looking at open source or proprietary software. Rather than trying to create an impregnable barrier, gaining visibility into your system state allows you to effectively manage risk. Configuration monitoring should already be part of a DevOps approach. Applying it to vulnerability assessment increases security at a minimal cost.

Conclusion

When someone says you need DevOps, think about what that really means. If your goal is to check a box, then you can probably do whatever you want and say it's DevOps. If your goal is to improve service delivery to your end users, then a little extra planning for security contingencies is in order and can greatly increase your yield. It might sound paradoxical, but having stricter controls for quality-through CM, continuous integration, and configuration monitoring tools-will allow you to ship more frequently and reduce your vulnerability exposure.

More Stories By ScriptRock Blog

ScriptRock makes GuardRail, a DevOps-ready platform for configuration monitoring.

Realizing we were spending way too much time digging up, cataloguing, and tracking machine configurations, we began writing our own scripts and tools to handle what is normally an enormous chore. Then we took the concept a step further, giving it a beautiful interface and making it simple enough for our bosses to understand. We named it GuardRail after its function — to allow businesses to move fast and stay safe.

GuardRail scans and tracks much more than just servers in a datacenter. It works with network hardware, Cloud service providers, CloudFlare, Android devices, infrastructure, and more.

@DevOpsSummit Stories
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin, will discuss the main security considerations enterprises face when rolling out SDDCs and how they can harness key functionality of a virtual environment to achieve more granular security controls across hybrid environments.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereum.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lavi, a Nutanix DevOps Solution Architect, explored the ways that Nutanix technologies empower teams to react faster than ever before and connect teams in ways that were either too complex or simply impossible with traditional infrastructures.
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in multiple vertical markets. Our delegate profiles can be located in our show prospectus.
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.