DevSecOps in the cloud
Security is everyone's job, but who's responsible when it's in the cloud?
Businesses have to develop and release new features continuously to remain relevant. This capability is enabled by DevOps, which enables a continuous cycle of development, testing and release. But the very nature of DevOps can pose a security risk to the business, because the more new updates you release, the more opportunities there are for security threats.
"This doesn't necessarily have to be the case," says Gary de Menezes, Country General Manager for sub-Saharan Africa at Micro Focus, "as this is where DevSecOps comes into its own."
With a DevSecOps model, security is integrated into the DevOps process. De Menezes poses the valid question: is DevOps in the cloud a viable enterprise grade toolset that enterprises can consider, or should it be an on-premises application?
"Businesses need to decide between on-premises and the cloud, as well as where they want to use which applications. Bearing in mind that in South Africa (and indeed elsewhere in the world), enterprises have the challenges around data regulations and what data they can put in the cloud."
This is particularly relevant to the banking and insurance industries. "Over the past 12 months, we've seen a major increase in South Africa enterprises making a strategic decision to move into the cloud. Previous concerns around governance seem to be becoming less of an inhibitor."
De Menezes cites the two main reasons for this shift into the cloud: "Firstly, there are the cost savings inherent in moving DevOps to the cloud; it simply costs less in the cloud than it would to do it on-site. This is because the average in-house IT department may not have the technical capabilities required to meet business demand for new products. The other reason is that businesses are demanding faster turnaround times on DevOps projects and this is posing a whole new set of challenges for internal IT teams. They can't upskill staff quickly enough to attain the agility and speed to market that's expected in today's business environment. The agility is simply not there."
In fact, this generally outweighs the cost factor as a driver of DevOps into the cloud, he says. However, the benefits of DevOps in the cloud notwithstanding, there are also inherent challenges to be faced by enterprise. De Menezes goes on to clarify: DevOps by its very nature introduces more complexity into the process as it represents a move from just testing a final delivered product, to a world in which you're constantly going back and forth, testing and revising multiple times before the product is released. However, incorporating testing into the DevOps cycle has also introduced better efficiencies, especially for the sectors that can't afford their applications to be offline, such as banks.
Natasha Simitci, DevOps Portfolio Manager at Micro Focus, adds: "This new way of doing things requires collaboration between various business units within the enterprise. In traditionally structured enterprises, different areas of the business don't always work together. This means that there's little to no visibility across different business units and this is where many enterprises fail because the business's own structure is inhibiting it from moving forward. You'll routinely find that 70% of the business will be agile and adopt the new application or process and the remainder will stick with the old way of doing things."
It's all about the company's culture and its processes; the cloud requires that people do things differently to how they've always done them. It breaks down barriers between the different functional areas of IT within large organisations. People are able to move to a DevOps framework more quickly if it's in the cloud, it just means they need to change the way that they do things, continues Simitci. "Doing it this way requires less technical skills and you're able to achieve more quickly, plus it's a consumption-based model. You have the option to start small and grow as required. The main inhibitor is neither technical skills nor hardware, it's how quickly you can get people to adopt the new process."
Bringing in security
The current challenge around DevOps in the cloud is incorporating security into the DevOps cycle. De Menezes says: "In most enterprises, IT security is regarded as something that's carried out by a regulatory body as opposed to being an integrated part of your software life cycle."
It's becoming critical to introduce security at the coding level in the face of the increasing number of cyber attacks that we're seeing. "All too often security testing is done as the product goes out of the door, but what most people don't know is that 80% of the cyber attacks that we read about happened at application level," says Simitci.
Security has to be incorporated from the very beginning of the code writing and testing process. This is why it's critical to integrate the different parts of the enterprise into the DevOps cycle. De Menezes says: "We're seeing a proliferation of open source software within the enterprise. Open source is all well and good, it's being enabled by the cloud, but if you can't integrate all of that somewhere along the line, you're on a hiding to nothing from a security point of view.
"This is virtually impossible to do if you have an on-premise DevOps process; it's far easier to do if you're in the cloud." He goes on to explain: the key is to choose enterprise grade vendors who can integrate everything into the cloud for you. This is a vital point, you won't get an enterprise-grade DevSecOps solution in the cloud from a small niche software vendor. And the time and resources you'll have to allocate to trying to integrate all those bits and pieces will be untenable."
As enterprises struggle to strike a balance between licensing on-premises software versus cloud offerings, there's a third option available to them: an automatically integrated DevSecOps solution in the cloud. "This is the fastest way for enterprises to move applications around securely, but it requires the enterprise choosing the right vendor to partner," says De Menezes.
It's all about the end result
In large enterprises there can be a disjointed approach to selecting tools of choice, which isn't necessarily a bad thing, according to Simitci, as it can help the organisation remain agile. "However, in order to report or act as an enterprise, you need to collaborate. You can't have a disjointed approach to DevOps if you want to move to DevSecOps. Bearing in mind that the amount of time you spend forcing people to use a specific tool can cause more disruption than allowing them to choose from a range of tools that can be integrated down the line. If you're in the cloud, the vendor will do it all for you, the enterprise just wants the output, regardless of the tool that got it there."
DevSecOps is an extension of the same service, it just incorporates security into the entire process. De Menezes explains: "The life cycle of an application is the same regardless of the application or the industry that's using it. It's the toolsets and processes within the organisation that differ. DevSecOps doesn't tell the enterprise how to write an app, it just introduces a skillset around security and access that will ensure security of the applications used so that the enterprise can achieve a best-of-breed build. The enterprise gets a toolset with a framework to guide users, but at the same time, the flexibility to decide what tools to plug into that."
The average large corporate could have thousands of applications in use; how do you decide which ones to secure? It's just not possible, says De Menezes, a security hack could impact anywhere so you need to test all of the applications' security. "It's all about visibility and traceability," he continues, "you need to see the pipeline from end to end, and stay abreast of vulnerability threats. Enterprise doesn't have the resources to do this, which is why DevSecOps is so vital."
He concludes by saying: "DevSecOps in the cloud is a very viable solution, and a proven one, but enterprises are being held back by their own internal challenges, which is impacting adoption rate."
The diagram below illustrates the integration of security into DevOps:
Read more about this topic here: