Security does not hinder DevOps

As Hong Kong companies start embracing DevOps in their organization, analyst and IT insiders remind CIOs and others responsible not to forget security as they journey towards the road of agile IT.

As DevOps is steadily gaining mindshare in enterprises, these industry observers point to the need to secure the environment that enables agile IT in the wake of increasingly sophisticated cyber threats. And they have a term for it DevSecOps.

DevSecOps is the integration of security into emerging agile IT and DevOps development models, ideally without reducing agility or speed and largely transparent to developers.

“DevSecOps is an objective where security checks and controls are applied automatically and transparently throughout the development and delivery of IT-enabled services in rapid-development DevOps environments,” said Ian Head, research director at Gartner.

The research firm predicts that putting built-in security in the DevOps lifecycle will be the norm among enterprises in the near future.

Gartner foresees that by 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security and configuration scanning for open source components and commercial packages. Moreover, in three years’ time, more than half of these DevOps initiatives will have incorporated application security testing for custom code; and over 60% of DevOps initiatives will have adopted a version control and tight management of infrastructure automation tools.

“Adoption of DevSecOps in Asia Pacific is slow but interest is high. Several security vendors directly target DevSecOps process and cultural changes required across IT organizational silos to adopt agile ‘DevOps like’ models and, further, to include security in to the vision,” Head said.

Automating security within the DevSecOps tool chain

Gartner said that the goal of information security architects must be to automatically incorporate security controls without manual configuration throughout this cycle in a way that is as transparent as possible to DevOps teams and doesn’t impede DevOps agility, but fulfills a company’s legal and regulatory compliance requirements as well as manages risk.

“Security controls must be capable of automation within DevOps toolchains in order to enable this objective. This is important for two reasons. First, automation reduces the chance of misadministration and mistakes, which are leading causes of operations incidents, unexpected downtime and successful security attacks. Second, high levels of automation eliminate the need for involvement from security professionals to manually configure a security setting using a security console (and thus impacting the agility of DevOps environments,” Head said.

When security platform capabilities – such as identity access management (IAM), firewalling, vulnerability scanning, application security testing and so on – are exposed programmatically, the integration and automation of these security controls are enable throughout the DevOps lifecycle in automated toolchains. Information security sets the policies, which can then be applied programmatically based the type of workload.

However, Gartner observed many security vendors are behind in their ability to be driven programmatically, and require a trained person to go to their console, or only a portion of their security functionality is exposed to APIs.

One security vendor, CyberArk, bucks this trend this week by announcing the availability of its open-source version of CyberArk Conjur, which lets DevOps teams to automatically secure and management secrets by machine and users to protect containerized and cloud-native applications across the DevOps, pipeline.

CyberArk  specializes in privileged account management and has recently acquired Conjur, which is a platform-independent secret management solutions especially architected for securing container and microservices.

“DevOps practices and automation improves agility, but also introduces security risks, such as storing secrets in source code repositories or leaving credentials sitting around on disk. We need to automate secret management into the process as well, and create an audit trail to prove we are delivering code and services securely/.” said Jeffrey Kok, senior director of pre-sales – APJ, CyberArk.

He noted that enterprise customers in the region are paying more attention to cloud security, but improvents are needed.