At least 42% of CEOs have already begun a business digital transformation, with IT-related priorities at an all-time high (Gartner Survey Results). While CEOs are beginning to understand and set digital transformation agendas, the responsibility for delivering the promised benefits lies with the CIO. This means that CIOs are equally responsible for ensuring a company’s digital transformation has the processes in place to safeguard security measures and remain complaint with regulations.
73% of CIOs see cybersecurity as a key area of investment in 2018 and 2019. And at the same time, digital transformation is seen as the highest priority strategy to support organisational growth goals. Investing in DevOps is a highly recommended place to start.
This blog looks at how DevOps practices result in more secure systems by design, enabling CIOs to achieve their transformational targets whilst strengthening security.
Baking in security from the start
All too often, security has been seen as something to be bolted on to a project after the important features have been completed and tested. This approach was problematic even in the time before agile, with months or years between releases meaning there was time to add in security and test before going live.
Today, with an ever-growing cyber threat and organisations striving for continuous delivery with weekly or daily releases, leaving security to the last minute is simply not an option.
The answer lies in the way DevOps rewrites the old ways of working, shifting security left in the SDLC (Software Development Lifecycle) until it is present by default in every iteration.
It does this through a number of approaches, starting with the culture. All teams and individuals involved need to understand not just the ‘how’ but, the ‘Why’! Buying in to the idea that working toward one shared objective that has security at its foundation is essential to success.
Developers should be educated of the importance of introducing security into the SDLC and its impact on delivery. In fostering a culture of care, workarounds are reduced, removing vulnerabilities and creating more secure systems from the outset.
Promoting a blame-free culture where people feel they can find new ways of working, fail fast and learn from each iteration is imperative – with guidance coming from an overall agile framework. Practitioners often do their best work when they are given the opportunity to exercise the very wealth of knowledge and experience they were hired for in the first place.
A practical approach to security
Automated testing is key, and not just because it reduces human error. It ensures consistent quality gates throughout the SDLC, including security check markers. This not only increases confidence in the software being delivered, it guarantees everything that has passed through the lifecycle has been cleared by security.
DevOps also enables transparency across the SDLC. Using IaC (Infrastructure as Code), teams are able to use the similar SDLC as the application they host will eventually be hosting. This allows for security check marks to be applied to these elements, ensuring compliance, policies and security best-practices have been adhered to.
Greater visibility promotes proactiveness, with configuration changes and issues monitored across the overall systems in real time. This in turn offers the ability to identify and action potential security breaches as they happen – for example stopping applications without interrupting other systems before it become a threat. This is a way of working that hasn’t been possible until DevOps’ holistic approach to software development.
These benefits of DevOps means QA and security are built in to the testing processes, with software unable to move though the lifecycle if it does not comply with pre-agreed standards.
Harry McLaren, Managing Consultant at ECS Security, explains more about managing security in a DevOps environment:
“DevOps and the corresponding tooling means you can respond faster in the development lifecycle. You can fail fast and fail safe. It’s not possible to remove 100% of risk but it is possible to eliminate the vast majority of it. By using like for like code in a development environment, with mirrored dependencies and so on, we can safely fail without risk before the release goes anywhere near the live environment.
“It’s vital to get buy-in from your security team, involving them in the initial conversation when it comes to DevOps. Today’s consumers see security as a priority, they take it for granted. If you break that trust, there can be far-reaching reputational consequences as well as short-term practical ones.”
The future of security
We’re seeing a shift in how the big players respond to security breaches. There is a trend towards far more public ownership of the breach and transparency as to how the organisation intends to fix or mitigate risk in the future.
Whilst traditional companies – including some in the banking sector – are more reluctant to take a public stance because of the severity of reputational threat, modern companies are adopting a different tact.
Amazon and Reddit are two such companies, demonstrating an openness of sharing ideas around how to avoid or deal with security breaches. Netflix is another, going as far as to release ChaosMonkey – an opensource service which identifies groups of systems and randomly terminates one of the systems in a group. Whilst deliberate termination of a system seems illogical, failure happens, and being able to challenge your system’s architecture at a time that suits your business is invaluable.
This open sharing of information is not only bolstering the leaders’ business reputations, they are changing the digital landscape by enabling businesses to build fully resilient applications that can face modern problems.
McLaren agrees: “The general trend is that transparency is becoming a differentiator. Monitoring and early warning are hugely important in order to get insights into what’s occurring. My advice is to empower your developers with data and KPIs – and challenge them.”
Organisations with mature DevOps practices are able to build fully-resilient applications that can cope in the face of today’s threat landscape. They do this by building in security early and testing rigorously in a safe environment.
Would you like to learn more about how DevOps can help to secure your digital transformation? Contact us today for more information.