By Byron V. Acohido
For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.
Related: How DevOps enabled the hacking of Uber
DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.
It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.
Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper, a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.
Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.
In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under a “my responsibility” model. The good news is that security vendors are stepping forward with new approaches to insert security as the third pillar of DevOps.
I recently spoke to Chris Ford, vice president of product for Threat Stack, one of the innovators in this space. We met at Black Hat USA 2018. To hear our full discussion, please give the accompanying podcast a listen. Here are a few takeaways:
Baking in security
Often referred to as SecOps or DevSecOps, a movement is underway to “bake” security practices into the DevOps workflow from the beginning of production, “so it doesn’t become a security speed bump at the end when you go to deploy,” as Ford puts it.
As one might imagine, the big obstacle for inserting “Sec” is the perceived speed penalty. According to Ford, “65% of companies we surveyed said they didn’t want to do anything that would impact business velocity.” However, a contingent of security vendors, Threat Stack being one, offer innovative ways to add security to DevOps without losing business velocity.
While adding security is still widely viewed as pumping the brakes on productivity, Ford points out that overlooking security can just as easily inhibit growth in today’s interconnected digital landscape. Assuring the security fitness of third party suppliers has become an imperative on both ends of the contract.
It has become more important than ever for companies to “prove security to their end customers,” he says. “Going for security certifications like SOC 2 Type II is very important to them, in removing friction from the sales process when talking to their customers. They want assurances that the data they put into these services is secure.”
Compliance with existing and fresh data security and privacy rules and regulations is another variable driving companies to start introducing SecOps into their workflow. That include longstanding standards such as health records rules, under HIPAA, and payment card security rules, under PCI DSS, and fresh rules under Europe’s revised GDPR data privacy mandate and New York State’s cyber certification rules for financial services companies.
As the speed of innovation increases, there is also a correlated rise in security risks. The consumption of public cloud services is growing at a great rate, as is the adoption of newer layers of abstraction like wider use of APIs, microservices, containers and container orchestration, Ford observes.
Related video: The role of NIST frameworks in compliance
These newer layers add even more complexity to configuration and increase surface of attack. Bottom line, according to Ford, “Understanding the configurations of your Cloud Services and on-going, continuous monitoring of that infrastructure are absolutely critical.”
It’s inevitable that SecOps and/or DevSecOps will become engrained as a routine component of going Cloud Native. Given what’s at stake, the sooner the better.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Editor’s note: LW has provided consulting services to Threat Stack.)