Security is DevOps, but many think it’s not the case. Different teams collaborate to quickly and swiftly bring a product to fruition in the DevOps world. However, it’s often felt that Security will slow the process down. In this post I’m going to explain why it’s important that Security is at DevOps collaborative table, and how it fits within DevOps realm.
Security is in the Public Eye More than Ever
As our culture and society connects worldwide through the digital age, security and privacy are growing concerns for the general public. This is exemplified in brand name vulnerabilities, such as “Heartbleed”, which affected anybody with a web server, or “Shell Shock”, which affected nearly every user of bash. You have breaches in the thousands, crossing social media, retail, insurance, and even entertainment realms.
Teenagers and even younger children are more aware of the idea of Denial of Service attacks, and the effects of hacking from cyberbulling. So more than ever, the DevOps paradigm needs to include Security when providing services to the masses in order to be firefight ready
Security Matches Up with DevOps
Security isn’t just a necessity. It also easily interweaves into a healthy approach to DevOps. Take for instance the Information Security Triad, consisting of Availability, Integrity, and Confidentiality to secure data and services. Each of these can also be applied to objectives/goals of DevOps.
“For any information system to serve it’s purpose, the information must be available when needed.” 1
Just like Security wanting to be able to weather/recover from attacks or downtime, so does DevOps with availability. We’re always looking to provide fast services and to be able to automate our way around ensuring uptime when bad things happen (because they will).
“That a system and it’s data are not manipulated for unauthorized functionality or alteration.” 2
Providing integrity that allows us to find holes when they occur means that as DevOps, our processes must not only be consistently to an agreed-upon standard, but repeatable (on top of providing the fast uptime from our availability). By having standardized and repeatable process for how we build apps and infrastructure, we’re better equipped to enforce policy as well as detect anomalies in our services.
“The requirement that private or confidential information not be disclosed to unauthorized individuals.”2
After we’ve created a service or product that is fast, standardized, and repeatable, we want to make sure that the people who get to the service are only those who should. Especially in terms of the tools that help us do DevOps, such as Chef or Puppet servers, we also want to keep in mind that while it should be controlled, it shouldn’t be silo’ed. It should provide enough control to still allow a collaborative spirit and agile process.
So now with all of that in mind you can see why security aligns well with DevOps, and why it is important. But how do we apply this to the process of deploying tools we use in DevOps, such as an automation and infrastructure management tool like Chef Server? Look to my next blog post to find out more, or, if you’re around at ChefConf on April 1st, 2015 at 3:20pm, come see my presentation.
1.Information security. (2015, March 19). In Wikipedia, The Free Encyclopedia. Retrieved 21:52, March 27, 2015, from http://en.wikipedia.org/w/index.php?title=Information_security&oldid=652104012
2. NIST Special Publication 800-33, csrc.nist.gov